CVE-2021-381xx

This challenge covers the review of a CVE and its patch

PRO
Tier
Medium
< 1 Hr.
308

Course


In this Code Review Patch challenge, you are provided with both the original vulnerable code and the patch that addresses the security flaw. Your task is to identify the security issue in the code without initially looking at the patch. This exercise is designed to enhance your skills in spotting vulnerabilities through code review.

The specific code in question is part of the Apache Kafka project, dealing with the `PlainServerCallbackHandler.java` file. The vulnerability involves how passwords are compared during the authentication process. The patch modifies the password comparison to use a constant-time comparison method, `Utils.isEqualConstantTime`, instead of the standard `Arrays.equals` method, to prevent timing attacks.

Want to learn more? Get started with PentesterLab Pro! GO PRO