basic-auth-connect's callback uses time unsafe string comparison · CVE-2024-47178 · GitHub Advisory Database · GitHub

basic-auth-connect's callback uses time unsafe string comparison

High severity GitHub Reviewed Published Sep 30, 2024 in expressjs/basic-auth-connect • Updated Sep 30, 2024

Package

basic-auth-connect (npm)

Affected versions

< 1.1.0

Patched versions

1.1.0

Description

Impact

basic-auth-connect <1.1.0 uses a timing-unsafe equality comparison that can leak timing information

Patches

this issue has been fixed in basic-auth-connect 1.1.0

References

References

UlisesGascon published to expressjs/basic-auth-connect

Sep 30, 2024

Published by the National Vulnerability Database

Sep 30, 2024

Published to the GitHub Advisory Database Sep 30, 2024

Reviewed Sep 30, 2024

Last updated Sep 30, 2024

Severity

High

/ 10

CVSS v4 base metrics

Exploitability Metrics

Attack Vector Network

Attack Complexity Low

Attack Requirements None

Privileges Required None

User interaction None

Vulnerable System Impact Metrics

Confidentiality High

Integrity None

Availability None

Subsequent System Impact Metrics

Confidentiality None

Integrity None

Availability None

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N