Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-41615

websda.c in GoAhead WebServer 2.1.8 has insufficient nonce entropy because the nonce calculation relies on the hardcoded onceuponatimeinparadise value, which does not follow the secret-data guideline for HTTP Digest Access Authentication in RFC 7616 section 3.3 (or RFC 2617 section 3.2.1). NOTE: 2.1.8 is a version from 2003; however, the affected websda.c code appears in multiple derivative works that may be used in 2021. Recent GoAhead software is unaffected.

Published

2022-08-08T19:15:12.247

Last Modified

2024-11-21T06:26:31.737

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Primary
CWE-331

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	embedthis	goahead	2.1.8	Yes

References

https://devel.rtems.org/browser/rtems/cpukit/httpd/websda.c?rev=c1427d2758079f0e9dd6a8de1662d78e0d6bc4ca Mailing List, Third Party Advisory ([email protected])
https://github.com/trenta3/goahead-versions/blob/master/2.1.8/230165webs218.tar.gz?raw=true Product, Third Party Advisory ([email protected])
https://devel.rtems.org/browser/rtems/cpukit/httpd/websda.c?rev=c1427d2758079f0e9dd6a8de1662d78e0d6bc4ca Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/trenta3/goahead-versions/blob/master/2.1.8/230165webs218.tar.gz?raw=true Product, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)