{"id":"CVE-2021-37848","details":"common/password.c in Pengutronix barebox through 2021.07.0 leaks timing information because strncmp is used during hash comparison.","modified":"2026-04-11T18:44:51.313489Z","published":"2021-08-02T20:15:08.303Z","references":[{"type":"FIX","url":"https://github.com/saschahauer/barebox/commit/a3337563c705bc8e0cf32f910b3e9e3c43d962ff"},{"type":"EVIDENCE","url":"https://gist.github.com/gquere/816dfadbad98745090034100a8a651eb"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/saschahauer/barebox","events":[{"introduced":"0"},{"fixed":"a3337563c705bc8e0cf32f910b3e9e3c43d962ff"}]},{"type":"GIT","repo":"https://github.com/saschahauer/barebox","events":[{"introduced":"0"},{"fixed":"a3337563c705bc8e0cf32f910b3e9e3c43d962ff"}]}],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"2021.07.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2021.07.0"}]}],"vanir_signatures":[{"signature_version":"v1","id":"CVE-2021-37848-00cbff65","signature_type":"Line","target":{"file":"common/password.c"},"source":"https://github.com/saschahauer/barebox/commit/a3337563c705bc8e0cf32f910b3e9e3c43d962ff","digest":{"threshold":0.9,"line_hashes":["286483416564148237014664334187897996842","82341561494851006650848126628061910030","160300210200201742434445603001761179386","331255837984390417579900180276178061273","71206244788899728916889356691555085839","256458294048974650112929662464190582585","333251219697399135318302262459666338848","183776022809160989712221249666787241014","254544937353092481425502287652833645885","77921965859436756916281033906327323109","230797779611143726437514116441912154259","32386485479158884066927671304407540509"]},"deprecated":false},{"signature_version":"v1","id":"CVE-2021-37848-63c8d193","signature_type":"Function","target":{"function":"check_passwd","file":"common/password.c"},"source":"https://github.com/saschahauer/barebox/commit/a3337563c705bc8e0cf32f910b3e9e3c43d962ff","digest":{"function_hash":"90977046801678930462450758757847571578","length":1171},"deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-37848.json","vanir_signatures_modified":"2026-04-11T18:44:51Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}