CVE-2026-27480

MEDIUM5.3EPSS 0.03%

Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames

發布日:2026/2/20修改日:2026/2/23
也稱為:GHSA-qhp6-635j-x7r2

描述

## Summary A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks. ## Details SWS validates the provided username before performing any password verification. - **Invalid Username:** The server returns a `401 Unauthorized` response immediately. - **Valid Username:** The server proceeds to verify the password (e.g., using `bcrypt`), which introduces a different execution path and measurable timing discrepancy. This allows an attacker to distinguish between existing and non-existing accounts by analyzing response times. ## PoC The following statistical results were obtained by measuring the mean response time over 100 iterations using a custom Rust script: | User Type | Average Response Time | | :--- | :--- | | **Invalid User** | 0.409861 ms | | **Valid User** | 0.250925 ms | | **Difference** | **~0.158936 ms** | While the valid user responded faster in this specific test environment, the statistically significant gap confirms that the authentication logic does not execute in constant time. ## Impact Users using the SWS' Basic Authentication feature are primarily impacted.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 3.1MEDIUM5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

參考連結(4)