Products
basic-auth-connect
- <1.1.0
Source
security-advisories@github.com
Tags
CVE-2024-47178 details
Published : Sept. 30, 2024, 4:15 p.m.
Last Modified : Sept. 30, 2024, 4:15 p.m.
Last Modified : Sept. 30, 2024, 4:15 p.m.
Description
basic-auth-connect is Connect's Basic Auth middleware in its own module. basic-auth-connect < 1.1.0 uses a timing-unsafe equality comparison that can leak timing information. This issue has been fixed in basic-auth-connect 1.1.0.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-208 | Observable Timing Discrepancy | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
References
| URL | Source |
|---|---|
| https://github.com/expressjs/basic-auth-connect/commit/bac1e6a8530e1efd0028800b9b588a37adb0d203 | security-advisories@github.com |
| https://github.com/expressjs/basic-auth-connect/security/advisories/GHSA-7p89-p6hx-q4fw | security-advisories@github.com |
This website uses the NVD API, but is not approved or certified by it.