{"id":"PYSEC-2021-95","details":"The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack.","aliases":["CVE-2021-33880","GHSA-8ch4-58qp-g3mp"],"modified":"2023-11-08T04:06:06.475813Z","published":"2021-06-06T15:15:00Z","references":[{"type":"FIX","url":"https://github.com/aaugustin/websockets/commit/547a26b685d08cac0aa64e5e65f7867ac0ea9bc0"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-8ch4-58qp-g3mp"}],"affected":[{"package":{"name":"websockets","ecosystem":"PyPI","purl":"pkg:pypi/websockets"},"ranges":[{"type":"GIT","repo":"https://github.com/aaugustin/websockets","events":[{"introduced":"0"},{"fixed":"547a26b685d08cac0aa64e5e65f7867ac0ea9bc0"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.1"}]}],"versions":["0.1","1.0","2.0","2.1","2.2","2.3","2.4","2.5","2.6","2.7","3.0","3.1","3.2","3.3","3.4","4.0","4.0.1","5.0","5.0.1","6.0","7.0","8.0","8.0.1","8.0.2","8.1","9.0","9.0.1","9.0.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/websockets/PYSEC-2021-95.yaml"}}],"schema_version":"1.7.3"}