2.6 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
44.9%
Severity: Medium
Date : 2021-06-09
CVE-ID : CVE-2021-33880
Package : python-websockets
Type : private key recovery
Remote : Yes
Link : https://security.archlinux.org/AVG-2040
The package python-websockets before version 9.1-1 is vulnerable to
private key recovery.
Upgrade to 9.1-1.
The problem has been fixed upstream in version 9.1.
None.
The aaugustin websockets library before 9.1 for Python has an
observable timing discrepancy on servers when HTTP Basic Authentication
is enabled with basic_auth_protocol_factory(credentials=…). An
attacker may be able to guess a password via a timing attack.
A remote attacker could guess HTTP Basic Authentication passwords using
a timing attack.
https://github.com/aaugustin/websockets/commit/547a26b685d08cac0aa64e5e65f7867ac0ea9bc0
https://security.archlinux.org/CVE-2021-33880
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | python-websockets | < 9.1-1 | UNKNOWN |
2.6 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
44.9%