CVE

GHSA-jmj6-p2j9-68cp

Wildfly-elytron possibly vulnerable to timing attacks via use of unsafe comparator

CVE

GHSA-jmj6-p2j9-68cp

Wildfly-elytron possibly vulnerable to timing attacks via use of unsafe comparator

wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.

Package Versions Affected

org.wildfly.security:wildfly-elytron-credential 1.20.2.Final

Available

Unavailable

org.wildfly.security:wildfly-elytron-x500 1.20.2.Final

Available

Unavailable

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

7.4

3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

7.4

3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Related Resources

No items found.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-3143, https://access.redhat.com/security/cve/CVE-2022-3143, https://bugzilla.redhat.com/show_bug.cgi?id=2124682, https://github.com/wildfly-security/wildfly-elytron

Severity

7.4

CVSS Score

Basic Information

Ecosystem

Base CVSS

7.4

EPSS Probability

0.0029%

EPSS Percentile

0.52078%

Introduced Version

1.0.0.Alpha1,1.1.0.Beta2,1.1.0.Beta22,1.16.0.CR1,1.9.0.CR1,1.8.0.Alpha1

Fix Available

1.15.15.Final,1.20.3.Final

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

GHSA-jmj6-p2j9-68cp