Lucene search

PRIOn knowledge basePRION:CVE-2022-3143

HistoryJan 13, 2023 - 6:15 a.m.

Design/Logic Flaw

2023-01-1306:15:00

PRIOn knowledge base

www.prio-n.com

wildfly-elytron

design flaw

timing attacks

java.util.arrays.equals

java.security.messagedigest.isequal

secure information

authed user

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

51.0%

JSON

wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.

CPENameOperatorVersion
jboss_enterprise_application_platformeq7.0.0
wildfly_elytroneq1.15.15

CPE	Name	Operator	Version
	jboss_enterprise_application_platform	eq	7.0.0
	wildfly_elytron	eq	1.15.15

References

access.redhat.com/security/cve/CVE-2022-3143