CVE-2021-33880

Name of the Vulnerable Software and Affected Versions aaugustin websockets library versions prior to 9.1

Description The issue is related to an Observable Timing Discrepancy in the aaugustin websockets library when HTTP Basic Authentication is enabled using basic auth protocol factory(credentials=...). This discrepancy may allow an attacker to guess a password via a timing attack, potentially leading to unauthorized access to confidential data.

Recommendations For versions prior to 9.1, update to version 9.1 or later to resolve the issue. As a temporary workaround, consider disabling the basic auth protocol factory function with credentials parameter until a patch is available. Restrict access to the basic auth protocol factory function to minimize the risk of exploitation. Avoid using the credentials parameter in the affected authentication endpoint until the issue is resolved.