CVE-2021-381xx

This challenge covers the review of a CVE and its patch

PRO
Tier
Medium
< 1 Hr.
363

In this Code Review Patch challenge, you are provided with both the original vulnerable code and the patch that addresses the security flaw. Your task is to identify the security issue in the code without initially looking at the patch. This exercise is designed to enhance your skills in spotting vulnerabilities through code review.

The specific code in question is part of the Apache Kafka project, dealing with the PlainServerCallbackHandler.java file. The vulnerability involves how passwords are compared during the authentication process. The patch modifies the password comparison to use a constant-time comparison method, Utils.isEqualConstantTime, instead of the standard Arrays.equals method, to prevent timing attacks.

Want to learn more? Get started with PentesterLab Pro! GOPRO