CVE-2025-59432

SCRAM timing attack (CVE-2025-59432) affects the SCRAM Java implementation prior to v3.2 due to using Arrays.equals to compare secret values, causing variable execution time. It can enable a timing side‑channel to infer authentication material. The issue is mitigated by using constant-time compar...

SCRAM Java Implementation 安全漏洞

SCRAM Java Implementation is an open source Java implementation library for SCRAM by OnGres Inc. A security vulnerability exists in SCRAM Java Implementation versions prior to 3.2, which stems from the use of Arrays.equals for sensitive value comparisons, and could lead to a timing side channel...

com.datasqrl:sqrl-discovery (>=0.7.0 <=0.8.7), com.datasqrl:sqrl-planner (>=0.7.0 <=0.8.7) +20 more potentially affected by CVE-2025-59432 via com.ongres.scram:scram-common (>=3.0 <=3.1)

com.ongres.scram:scram-common MAVEN version =3.0, =0.7.0, =0.7.0, =0.7.0, =0.3.124, =0.3.124, =0.3.124, =0.3.124, =0.3.124, =0.3.124, =0.3.124, =0.3.124, =0.3.124, =1.0.0, =3.0, =2.4.0-RC1, =2.4.0-rc1 and more Source cves: CVE-2025-59432 Source advisory: OSV:GHSA-3WFH-36RX-9537...

com.datasqrl:sqrl-discovery (>=0.7.0 <=0.8.7), com.datasqrl:sqrl-planner (>=0.7.0 <=0.8.7) +20 more potentially affected by CVE-2025-59432 via com.ongres.scram:scram-common (>=3.0 <=3.1)

com.ongres.scram:scram-common MAVEN version =3.0, =0.7.0, =0.7.0, =0.7.0, =0.3.124, =0.3.124, =0.3.124, =0.3.124, =0.3.124, =0.3.124, =0.3.124, =0.3.124, =0.3.124, =1.0.0, =3.0, =2.4.0-RC1, =2.4.0-rc1 and more Source cves: CVE-2025-59432 Source advisory: SNYK:JAVA-COMONGRESSCRAM-12818392...

Timing Attack Vulnerability in SCRAM Authentication

Impact A timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because Arrays.equals was used to compare secret values such as client proofs and server signatures. Since Arrays.equals performs a short-circuit comparison, the execution time varies depending on how...

Timing Attack

Overview Affected versions of this package are vulnerable to Timing Attack via the verifyClientProof function which use Arrays.equals function. An attacker can infer sensitive authentication material by exploiting timing differences during the comparison of secret values. Remediation Upgrade...

PT-2025-38753

Name of the Vulnerable Software and Affected Versions versions prior to 3.2 Description A timing attack issue exists in the SCRAM Java implementation due to the use of Arrays.equals for comparing sensitive values like client proofs and server signatures. Arrays.equals performs a short-circuit...

MAL-2025-36068 Malicious code in test-mlw2-quell-parol-scram-mayed (npm)

The package test-mlw2-quell-parol-scram-mayed was found to contain malicious code...

Malicious code in test-mlw2-quell-parol-scram-mayed (npm)

The package test-mlw2-quell-parol-scram-mayed was found to contain malicious code...

ROS-20250630-05

The Salted Challenge Response Authentication Mechanism SCRAM vulnerability in the Apache Kafka Message Manager is due to a lack of verification of one-time message numbers between messages. of the Apache Kafka Message Manager is related to the lack of verification of one-time message numbers...

Important: Red Hat Security Advisory: Streams for Apache Kafka 2.9.1 release and security update

Streams for Apache Kafka 2.9.1 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

CVE-2024-37034

An issue was discovered in Couchbase Server before 7.2.5 and 7.6.0 before 7.6.1. It does not ensure that credentials are negotiated with the Key-Value KV service using SCRAM-SHA when remote link encryption is configured for Half-Secure...

CVE-2022-33173

An algorithm-downgrade issue was discovered in Couchbase Server before 7.0.4. Analytics Remote Links may temporarily downgrade to non-TLS connection to determine the TLS port number, using SCRAM-SHA instead...

Security Bulletin: Multiple Vulnerabilities in IBM Event Streams

Summary Multiple vulnerabilities were addressed in IBM Event Streams version 11.7.0. Vulnerability Details CVEID:CVE-2024-52798 DESCRIPTION: path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cau...

Security Bulletin: A vulnerability in Logstash shipped with IBM Operations Analytics - Log Analysis (CVE-2024-56128)

Summary There is a Kafka vulnerability in Logstash shipped with IBM Operations Analytics - Log Analysis Vulnerability Details CVEID:CVE-2024-56128 DESCRIPTION: Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Summary: Apache Kafka's implementation...

Security Bulletin: Vulnerability in Apache Kafka's SCRAM implementation affects watsonx.data

Summary Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. These can affect watsonx.data. Vulnerability Details CVEID:CVE-2024-56128 DESCRIPTION: Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Summary:...

Incorrect Implementation Of The Authentication Algorithm

org.apache.kafka, kafka-clients is vulnerable to an incorrect implementation of the authentication algorithm. The vulnerability is due to the lack of nonce verification in Apache Kafka's SCRAM implementation, where the server does not verify that the nonce sent by the client in the second message...

BIT-KAFKA-2024-56128 Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption

Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Summary: Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism SCRAM did not fully adhere to the requirements of RFC 5802 1. Specifically, as per RFC 5802, the serv...

CVE-2024-56128

A flaw was found in Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism SCRAM, which did not fully adhere to the requirements of RFC 5802. Specifically, as per RFC 5802, the server must verify that the nonce sent by the client in the second message matches the...

Apache Kafka's SCRAM implementation Incorrectly Implements Authentication Algorithm

Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Summary: Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism SCRAM did not fully adhere to the requirements of RFC 5802 1. Specifically, as per RFC 5802, the serv...