CVE-2021-21335 - OpenCVE

In the SPNEGO HTTP Authentication Module for nginx (spnego-http-auth-nginx-module) before version 1.1.1 basic Authentication can be bypassed using a malformed username. This affects users of spnego-http-auth-nginx-module that have enabled basic authentication. This is fixed in version 1.1.1 of spnego-http-auth-nginx-module. As a workaround, one may disable basic authentication.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Spnego Http Authentication Module Project	Spnego Http Authentication Module

Configuration 1 [-]

cpe:2.3:a:spnego_http_authentication_module_project:spnego_http_authentication_module:*:*:*:*:*:nginx:*:*

No data.

References

Link	Providers
https://github.com/stnoonan/spnego-http-auth-nginx-module/commit/a06f9efca373e25328b1c53639a48decd0854570
https://github.com/stnoonan/spnego-http-auth-nginx-module/releases/tag/v1.1.1
https://github.com/stnoonan/spnego-http-auth-nginx-module/security/advisories/GHSA-ww8q-72rx-hc54

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-03-08T20:20:19

Updated: 2024-08-03T18:09:15.422Z

Reserved: 2020-12-22T00:00:00

Link: CVE-2021-21335

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-03-08T21:15:16.573

Modified: 2021-03-12T14:21:39.980

Link: CVE-2021-21335

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "spnego-http-auth-nginx-module", "vendor": "stnoonan", "versions": [{"status": "affected", "version": "< 1.1.1"}]}], "descriptions": [{"lang": "en", "value": "In the SPNEGO HTTP Authentication Module for nginx (spnego-http-auth-nginx-module) before version 1.1.1 basic Authentication can be bypassed using a malformed username. This affects users of spnego-http-auth-nginx-module that have enabled basic authentication. This is fixed in version 1.1.1 of spnego-http-auth-nginx-module. As a workaround, one may disable basic authentication."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287: Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-03-08T20:20:19", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/stnoonan/spnego-http-auth-nginx-module/security/advisories/GHSA-ww8q-72rx-hc54"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/stnoonan/spnego-http-auth-nginx-module/commit/a06f9efca373e25328b1c53639a48decd0854570"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/stnoonan/spnego-http-auth-nginx-module/releases/tag/v1.1.1"}], "source": {"advisory": "GHSA-ww8q-72rx-hc54", "discovery": "UNKNOWN"}, "title": "Basic Authentication can be bypassed using a malformed username", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21335", "STATE": "PUBLIC", "TITLE": "Basic Authentication can be bypassed using a malformed username"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "spnego-http-auth-nginx-module", "version": {"version_data": [{"version_value": "< 1.1.1"}]}}]}, "vendor_name": "stnoonan"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In the SPNEGO HTTP Authentication Module for nginx (spnego-http-auth-nginx-module) before version 1.1.1 basic Authentication can be bypassed using a malformed username. This affects users of spnego-http-auth-nginx-module that have enabled basic authentication. This is fixed in version 1.1.1 of spnego-http-auth-nginx-module. As a workaround, one may disable basic authentication."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287: Improper Authentication"}]}]}, "references": {"reference_data": [{"name": "https://github.com/stnoonan/spnego-http-auth-nginx-module/security/advisories/GHSA-ww8q-72rx-hc54", "refsource": "CONFIRM", "url": "https://github.com/stnoonan/spnego-http-auth-nginx-module/security/advisories/GHSA-ww8q-72rx-hc54"}, {"name": "https://github.com/stnoonan/spnego-http-auth-nginx-module/commit/a06f9efca373e25328b1c53639a48decd0854570", "refsource": "MISC", "url": "https://github.com/stnoonan/spnego-http-auth-nginx-module/commit/a06f9efca373e25328b1c53639a48decd0854570"}, {"name": "https://github.com/stnoonan/spnego-http-auth-nginx-module/releases/tag/v1.1.1", "refsource": "MISC", "url": "https://github.com/stnoonan/spnego-http-auth-nginx-module/releases/tag/v1.1.1"}]}, "source": {"advisory": "GHSA-ww8q-72rx-hc54", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:15.422Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/stnoonan/spnego-http-auth-nginx-module/security/advisories/GHSA-ww8q-72rx-hc54"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/stnoonan/spnego-http-auth-nginx-module/commit/a06f9efca373e25328b1c53639a48decd0854570"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/stnoonan/spnego-http-auth-nginx-module/releases/tag/v1.1.1"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21335", "datePublished": "2021-03-08T20:20:19", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.422Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:spnego_http_authentication_module_project:spnego_http_authentication_module:*:*:*:*:*:nginx:*:*", "matchCriteriaId": "89B04778-31B0-41E8-856F-DE883677ED15", "versionEndExcluding": "1.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the SPNEGO HTTP Authentication Module for nginx (spnego-http-auth-nginx-module) before version 1.1.1 basic Authentication can be bypassed using a malformed username. This affects users of spnego-http-auth-nginx-module that have enabled basic authentication. This is fixed in version 1.1.1 of spnego-http-auth-nginx-module. As a workaround, one may disable basic authentication."}, {"lang": "es", "value": "En el m\u00f3dulo de autenticaci\u00f3n HTTP SPNEGO para nginx (spnego-http-auth-nginx-module) versiones anteriores a 1.1.1, la Autenticaci\u00f3n b\u00e1sica puede ser omitido usando un nombre de usuario malformado. Esto afecta a usuarios de spnego-http-auth-nginx-module que han habilitado la autenticaci\u00f3n b\u00e1sica. Esto es corregido en versi\u00f3n 1.1.1 de spnego-http-auth-nginx-module. Como una soluci\u00f3n alternativa, puede ser deshabilitar la autenticaci\u00f3n b\u00e1sica"}], "id": "CVE-2021-21335", "lastModified": "2021-03-12T14:21:39.980", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-03-08T21:15:16.573", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/stnoonan/spnego-http-auth-nginx-module/commit/a06f9efca373e25328b1c53639a48decd0854570"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/stnoonan/spnego-http-auth-nginx-module/releases/tag/v1.1.1"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/stnoonan/spnego-http-auth-nginx-module/security/advisories/GHSA-ww8q-72rx-hc54"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}