Lucene search

GitHub Advisory DatabaseGHSA-JMJ6-P2J9-68CP

HistoryJan 13, 2023 - 6:30 a.m.

Wildfly-elytron possibly vulnerable to timing attacks via use of unsafe comparator

2023-01-1306:30:22

CWE-203

CWE-208

GitHub Advisory Database

github.com

wildfly-elytron

timing attacks

unsafe comparator

java.util.arrays.equals

java.security.messagedigest.isequal

secure information

authed user

software

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

51.0%

JSON

wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.

Affected configurations

Vulners

Node

org.wildfly.security\wildflyMatchelytron

CPENameOperatorVersion
org.wildfly.security:wildfly-elytronlt1.20.3.Final
org.wildfly.security:wildfly-elytronlt1.15.15.Final

CPE	Name	Operator	Version
	org.wildfly.security:wildfly-elytron	lt	1.20.3.Final
	org.wildfly.security:wildfly-elytron	lt	1.15.15.Final

References

access.redhat.com/security/cve/CVE-2022-3143

bugzilla.redhat.com/show_bug.cgi?id=2124682

github.com/advisories/GHSA-jmj6-p2j9-68cp

nvd.nist.gov/vuln/detail/CVE-2022-3143

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

51.0%

JSON

Related for GHSA-JMJ6-P2J9-68CP