{"id":"CVE-2021-21335","details":"In the SPNEGO HTTP Authentication Module for nginx (spnego-http-auth-nginx-module) before version 1.1.1 basic Authentication can be bypassed using a malformed username. This affects users of spnego-http-auth-nginx-module that have enabled basic authentication. This is fixed in version 1.1.1 of spnego-http-auth-nginx-module. As a workaround, one may disable basic authentication.","modified":"2026-04-11T23:33:58.371721Z","published":"2021-03-08T21:15:16.573Z","related":["GHSA-ww8q-72rx-hc54"],"references":[{"type":"ADVISORY","url":"https://github.com/stnoonan/spnego-http-auth-nginx-module/releases/tag/v1.1.1"},{"type":"FIX","url":"https://github.com/stnoonan/spnego-http-auth-nginx-module/commit/a06f9efca373e25328b1c53639a48decd0854570"},{"type":"FIX","url":"https://github.com/stnoonan/spnego-http-auth-nginx-module/security/advisories/GHSA-ww8q-72rx-hc54"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/stnoonan/spnego-http-auth-nginx-module","events":[{"introduced":"0"},{"fixed":"a06f9efca373e25328b1c53639a48decd0854570"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.1.1"}]}}],"versions":["v1.0.0","v1.1.0"],"database_specific":{"vanir_signatures":[{"deprecated":false,"digest":{"function_hash":"72009278362700319588796017657292650017","length":3010},"target":{"file":"ngx_http_auth_spnego_module.c","function":"ngx_http_auth_spnego_handler"},"signature_type":"Function","id":"CVE-2021-21335-96db8614","source":"https://github.com/stnoonan/spnego-http-auth-nginx-module/commit/a06f9efca373e25328b1c53639a48decd0854570","signature_version":"v1"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["184303827427714694529644895348184658594","339901842394811731769551324700142596822","77201998263918464123882835720729499067","319109234672289250995724412850191116713"]},"target":{"file":"ngx_http_auth_spnego_module.c"},"signature_type":"Line","id":"CVE-2021-21335-e3d42e4c","source":"https://github.com/stnoonan/spnego-http-auth-nginx-module/commit/a06f9efca373e25328b1c53639a48decd0854570","signature_version":"v1"}],"vanir_signatures_modified":"2026-04-11T23:33:58Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21335.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}