CVE-2024-47178 HIGH

CVE-2024-47178: basic-auth-connect's callback uses time unsafe string comparison

Vendor Expressjs
Product basic-auth-connect
Weakness CWE-208
Published September 30, 2024
Last update September 30, 2024

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

basic-auth-connect is Connect's Basic Auth middleware in its own module. basic-auth-connect < 1.1.0 uses a timing-unsafe equality comparison that can leak timing information. This issue has been fixed in basic-auth-connect 1.1.0.

Key dates

02Disclosure timeline

September 30, 2024 CVE published
September 30, 2024 Record updated