ID

VAR-202201-1821


CVE

CVE-2021-43298


TITLE

GoAhead  Vulnerability in improperly limiting excessive authentication attempts in

Trust: 0.8

sources: JVNDB: JVNDB-2022-004217

DESCRIPTION

The code that performs password matching when using 'Basic' HTTP authentication does not use a constant-time memcmp and has no rate-limiting. This means that an unauthenticated network attacker can brute-force the HTTP basic password, byte-by-byte, by recording the webserver's response time until the unauthorized (401) response. GoAhead Is vulnerable to improper restrictions on excessive authentication attempts.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Embedthis Software GoAhead is an open source small embedded Web server from Embedthis Software in the United States

Trust: 1.71

sources: NVD: CVE-2021-43298 // JVNDB: JVNDB-2022-004217 // VULHUB: VHN-404338

AFFECTED PRODUCTS

vendor:embedthismodel:goaheadscope:ltversion:5.1.4

Trust: 1.0

vendor:embedthismodel:goaheadscope:eqversion: -

Trust: 0.8

vendor:embedthismodel:goaheadscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-004217 // NVD: CVE-2021-43298

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-43298
value: CRITICAL

Trust: 1.0

NVD: CVE-2021-43298
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202201-2335
value: CRITICAL

Trust: 0.6

VULHUB: VHN-404338
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-43298
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-404338
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-43298
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2021-43298
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-404338 // JVNDB: JVNDB-2022-004217 // CNNVD: CNNVD-202201-2335 // NVD: CVE-2021-43298

PROBLEMTYPE DATA

problemtype:CWE-307

Trust: 1.1

problemtype:CWE-208

Trust: 1.0

problemtype:Inappropriate limitation of excessive authentication attempts (CWE-307) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-404338 // JVNDB: JVNDB-2022-004217 // NVD: CVE-2021-43298

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-2335

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202201-2335

PATCH

title:Top Pageurl:https://www.embedthis.com/

Trust: 0.8

title:Embedthis Software GoAhead Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=180331

Trust: 0.6

sources: JVNDB: JVNDB-2022-004217 // CNNVD: CNNVD-202201-2335

EXTERNAL IDS

db:NVDid:CVE-2021-43298

Trust: 3.3

db:JVNid:JVNVU92569237

Trust: 0.8

db:JVNDBid:JVNDB-2022-004217

Trust: 0.8

db:CNNVDid:CNNVD-202201-2335

Trust: 0.7

db:VULHUBid:VHN-404338

Trust: 0.1

sources: VULHUB: VHN-404338 // JVNDB: JVNDB-2022-004217 // CNNVD: CNNVD-202201-2335 // NVD: CVE-2021-43298

REFERENCES

url:https://github.com/embedthis/goahead/issues/304

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-43298

Trust: 1.4

url:https://jvn.jp/vu/jvnvu92569237/index.html

Trust: 0.8

sources: VULHUB: VHN-404338 // JVNDB: JVNDB-2022-004217 // CNNVD: CNNVD-202201-2335 // NVD: CVE-2021-43298

SOURCES

db:VULHUBid:VHN-404338
db:JVNDBid:JVNDB-2022-004217
db:CNNVDid:CNNVD-202201-2335
db:NVDid:CVE-2021-43298

LAST UPDATE DATE

2024-11-23T20:13:50.174000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-404338date:2022-02-01T00:00:00
db:JVNDBid:JVNDB-2022-004217date:2023-05-11T08:45:00
db:CNNVDid:CNNVD-202201-2335date:2022-03-10T00:00:00
db:NVDid:CVE-2021-43298date:2024-11-21T06:29:01.873

SOURCES RELEASE DATE

db:VULHUBid:VHN-404338date:2022-01-25T00:00:00
db:JVNDBid:JVNDB-2022-004217date:2023-03-31T00:00:00
db:CNNVDid:CNNVD-202201-2335date:2022-01-25T00:00:00
db:NVDid:CVE-2021-43298date:2022-01-25T20:15:08.510