Question 1

Is there a bug in websockets?

Accepted Answer

Observable Timing Discrepancy in aaugustin websockets library The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack. Fixed in websockets 9.1.

Question 2

Is there a bug in websockets 4.0?

Accepted Answer

websockets is vulnerable to denial of service by memory exhaustion The Python websockets library version 4 contains a CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Servers and clients, unless configured with compression=None that can result in Denial of Service by memory exhaustion. This attack appears to be exploitable via sending a specially crafted frame on an established connection. This vulnerability appears to have been fixed in version 5.0 Fixed in websockets 5.0.

Question 3

Is there a bug in websockets?

Accepted Answer

PYSEC-2021-95: advisory The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack. Fixed in websockets 547a26b685d08cac0aa64e5e65f7867ac0ea9bc0.

Question 4

Is there a bug in websockets?

Accepted Answer

PYSEC-2018-79: advisory aaugustin websockets version 4 contains a CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Servers and clients, unless configured with compression=None that can result in Denial of Service by memory exhaustion. This attack appear to be exploitable via Sending a specially crafted frame on an established connection. This vulnerability appears to have been fixed in 5. Fixed in websockets 5.0.

Severity	Affected	Fixed in	Title	Status	Source
high	any	9.1	Observable Timing Discrepancy in aaugustin websockets library The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack.	fixed	osv:GHSA-8ch4-58qp-g3mp
high	4.0	5.0	websockets is vulnerable to denial of service by memory exhaustion The Python websockets library version 4 contains a CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Servers and clients, unless configured with compression=None that can result in Denial of Service by memory exhaustion. This attack appears to be exploitable via sending a specially crafted frame on an established connection. This vulnerability appears to have been fixed in version 5.0	fixed	osv:GHSA-6g87-ff9q-v847
medium	any	547a26b685d08cac0aa64e5e65f7867ac0ea9bc0	PYSEC-2021-95: advisory The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An attacker may be able to guess a password via a timing attack.	fixed	osv:PYSEC-2021-95
medium	any	5.0	PYSEC-2018-79: advisory aaugustin websockets version 4 contains a CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Servers and clients, unless configured with compression=None that can result in Denial of Service by memory exhaustion. This attack appear to be exploitable via Sending a specially crafted frame on an established connection. This vulnerability appears to have been fixed in 5.	fixed	osv:PYSEC-2018-79

websockets known bugs