Description
basic-auth-connect is Connect's Basic Auth middleware in its own module. basic-auth-connect < 1.1.0 uses a timing-unsafe equality comparison that can leak timing information. This issue has been fixed in basic-auth-connect 1.1.0.
References
https://github.com/expressjs/basic-auth-connect/security/advisories/GHSA-7p89-p6hx-q4fw
ExploitThird Party Advisory
CVSS impact metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 · Medium
Information
Source identifier
Vulnerability status
Analyzed
Published
2024-09-30T14:15:09.410Z
1 year agoLast modified
2024-11-15T17:05:22.603Z
1 year ago