Details of VAR-202201-1821

ID

VAR-202201-1821

CVE

CVE-2021-43298

TITLE

GoAhead Vulnerability in improperly limiting excessive authentication attempts in

Trust: 0.8

sources: JVNDB: JVNDB-2022-004217

DESCRIPTION

The code that performs password matching when using 'Basic' HTTP authentication does not use a constant-time memcmp and has no rate-limiting. This means that an unauthenticated network attacker can brute-force the HTTP basic password, byte-by-byte, by recording the webserver's response time until the unauthorized (401) response. GoAhead Is vulnerable to improper restrictions on excessive authentication attempts.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Embedthis Software GoAhead is an open source small embedded Web server from Embedthis Software in the United States

Trust: 1.71

sources: NVD: CVE-2021-43298 // JVNDB: JVNDB-2022-004217 // VULHUB: VHN-404338

AFFECTED PRODUCTS

vendor:	embedthis	model:	goahead	scope:	lt	version:	5.1.4	Trust: 1.0
vendor:	embedthis	model:	goahead	scope:	eq	version:	-	Trust: 0.8
vendor:	embedthis	model:	goahead	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-004217 // NVD: CVE-2021-43298

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-43298
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2021-43298
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202201-2335
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-404338
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-43298
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-404338
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-43298
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-43298
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-404338 // JVNDB: JVNDB-2022-004217 // CNNVD: CNNVD-202201-2335 // NVD: CVE-2021-43298

PROBLEMTYPE DATA

problemtype:	CWE-307	Trust: 1.1
problemtype:	CWE-208	Trust: 1.0
problemtype:	Inappropriate limitation of excessive authentication attempts (CWE-307) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-404338 // JVNDB: JVNDB-2022-004217 // NVD: CVE-2021-43298

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-2335

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202201-2335

PATCH

title:	Top Page	url:	https://www.embedthis.com/	Trust: 0.8
title:	Embedthis Software GoAhead Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=180331	Trust: 0.6

sources: JVNDB: JVNDB-2022-004217 // CNNVD: CNNVD-202201-2335

EXTERNAL IDS

db:	NVD	id:	CVE-2021-43298	Trust: 3.3
db:	JVN	id:	JVNVU92569237	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-004217	Trust: 0.8
db:	CNNVD	id:	CNNVD-202201-2335	Trust: 0.7
db:	VULHUB	id:	VHN-404338	Trust: 0.1

sources: VULHUB: VHN-404338 // JVNDB: JVNDB-2022-004217 // CNNVD: CNNVD-202201-2335 // NVD: CVE-2021-43298

REFERENCES

url:	https://github.com/embedthis/goahead/issues/304	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-43298	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu92569237/index.html	Trust: 0.8

sources: VULHUB: VHN-404338 // JVNDB: JVNDB-2022-004217 // CNNVD: CNNVD-202201-2335 // NVD: CVE-2021-43298

SOURCES

db:	VULHUB	id:	VHN-404338
db:	JVNDB	id:	JVNDB-2022-004217
db:	CNNVD	id:	CNNVD-202201-2335
db:	NVD	id:	CVE-2021-43298

LAST UPDATE DATE

2024-08-14T13:05:55.113000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-404338	date:	2022-02-01T00:00:00
db:	JVNDB	id:	JVNDB-2022-004217	date:	2023-05-11T08:45:00
db:	CNNVD	id:	CNNVD-202201-2335	date:	2022-03-10T00:00:00
db:	NVD	id:	CVE-2021-43298	date:	2022-02-01T13:46:54.290

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-404338	date:	2022-01-25T00:00:00
db:	JVNDB	id:	JVNDB-2022-004217	date:	2023-03-31T00:00:00
db:	CNNVD	id:	CNNVD-202201-2335	date:	2022-01-25T00:00:00
db:	NVD	id:	CVE-2021-43298	date:	2022-01-25T20:15:08.510