CVE-2024-47178

basic-auth-connect is Connect's Basic Auth middleware in its own module. basic-auth-connect < 1.1.0 uses a timing-unsafe equality comparison that can leak timing information. This issue has been fixed in basic-auth-connect 1.1.0.
Configurations

Configuration 1 (hide)

cpe:2.3:a:expressjs:basic-auth-connect:*:*:*:*:*:node.js:*:*

History

15 Nov 2024, 18:05

Type Values Removed Values Added
CPE cpe:2.3:a:expressjs:basic-auth-connect:*:*:*:*:*:node.js:*:*
CWE NVD-CWE-Other
References () https://github.com/expressjs/basic-auth-connect/commit/bac1e6a8530e1efd0028800b9b588a37adb0d203 - () https://github.com/expressjs/basic-auth-connect/commit/bac1e6a8530e1efd0028800b9b588a37adb0d203 - Patch
References () https://github.com/expressjs/basic-auth-connect/security/advisories/GHSA-7p89-p6hx-q4fw - () https://github.com/expressjs/basic-auth-connect/security/advisories/GHSA-7p89-p6hx-q4fw - Exploit, Third Party Advisory
First Time Expressjs
Expressjs basic-auth-connect
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.3

04 Oct 2024, 13:51

Type Values Removed Values Added
Summary
  • (es) basic-auth-connect es el middleware de autenticación básica de Connect en su propio módulo. basic-auth-connect &lt; 1.1.0 utiliza una comparación de igualdad que no es segura en cuanto al tiempo y que puede filtrar información sobre el tiempo. Este problema se ha solucionado en basic-auth-connect 1.1.0.

30 Sep 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-30 16:15

Updated : 2024-11-15 18:05


NVD link : CVE-2024-47178

Mitre link : CVE-2024-47178

CVE.ORG link : CVE-2024-47178


JSON object : View

Products Affected

expressjs

  • basic-auth-connect
CWE
NVD-CWE-Other CWE-208

Observable Timing Discrepancy