Basic Authentication can be bypassed using a malformed username

Moderate

stnoonan published GHSA-ww8q-72rx-hc54

Feb 26, 2021

Package

spnego-http-auth-nginx-module (nginx)

Affected versions

< 1.1

Patched versions

1.1.1

Description

Impact

Users of spnego-http-auth-nginx-module that have enabled basic authentication

Patches

Upgrade to published version 1.1.1 or patch a06f9ef into your version.

Workarounds

Disable basic authentication.

For more information

If you have any questions or comments about this advisory:

Open an issue on github
Email Sean at stnoonan@obsolescence.net

Disclosure

Thanks to Prakapovich Pavel aka Flyguy.by (flyguy.by@gmail.com) for the disclosure.

Severity

Moderate

5.3

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N