JFrog Security Research
< Back

XRAY-194044 - GoAhead timing attack auth bypass

CVE-2021-43298 | CVSS 5.3

JFrog Severity:medium

Discovered ByOmer Kaspiof the JFrog Security Research Team

Published 1 Jan, 2022 | Last updated 1 Jan, 2022

A timing attack in GoAhead allows an attacker to perform authentication bypass on password-protected web pages

GoAhead

(,5.1.3], fixed in 5.1.4

The code that performs password matching when using "Basic" HTTP authentication does not use a constant-time memcmp. Furthermore – by default there is no rate-limiting on the number of guesses allowed before blocking the attacking IP. This means that an unauthenticated network attacker can brute-force the HTTP basic password, byte-by-byte, by recording the webserver’s response time until the unauthorized (401) response.

No PoC is supplied for this issue

No vulnerability mitigations are supplied for this issue

NVD

< Back