CVE-2021-43298

Name of the Vulnerable Software and Affected Versions No specific software or versions are mentioned.

Description The issue concerns the password matching mechanism used in 'Basic' HTTP authentication. It does not utilize a constant-time comparison, such as memcmp, and lacks rate-limiting. This allows an unauthenticated network attacker to perform a brute-force attack on the HTTP basic password. The attack can be done byte-by-byte by analyzing the web server's response time until an unauthorized (401) response is received.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.