CVE-2021-41615

Name of the Vulnerable Software and Affected Versions GoAhead WebServer version 2.1.8

Description The issue arises from insufficient nonce entropy in the websda.c file of GoAhead WebServer. This is due to the nonce calculation relying on a hardcoded value, onceuponatimeinparadise, which does not adhere to the secret-data guideline for HTTP Digest Access Authentication as specified in RFC 7616 section 3.3 (or RFC 2617 section 3.2.1). Although version 2.1.8 is from 2003, the affected code appears in multiple derivative works that may still be in use. Recent GoAhead software is unaffected.

Recommendations For GoAhead WebServer version 2.1.8, consider updating to a newer version where this issue is resolved, as recent GoAhead software is unaffected. If updating is not feasible, a potential temporary workaround could involve modifying the nonce calculation to use a more secure, secret value, though this would require careful consideration of the implementation details to ensure compliance with relevant standards. At the moment, there is no information about a specific newer version that contains a fix for this vulnerability.