CVE-2021-381xx
Bookmarked!This challenge covers the review of a CVE and its patch
In this Code Review Patch challenge, you are provided with both the original vulnerable code and the patch that addresses the security flaw. Your task is to identify the security issue in the code without initially looking at the patch. This exercise is designed to enhance your skills in spotting vulnerabilities through code review.
The specific code in question is part of the Apache Kafka project, dealing with the PlainServerCallbackHandler.java
file. The vulnerability involves how passwords are compared during the authentication process. The patch modifies the password comparison to use a constant-time comparison method, Utils.isEqualConstantTime
, instead of the standard Arrays.equals
method, to prevent timing attacks.