CVE-2021-3642

CWE-2035 documents5 sources

Severity

5.3MEDIUM

EPSS

0.3%

top 49.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Wildfly Elytron Quarkus Quarkus Redhat Codeready Studio +5 more

Timeline

PublishedAug 5

Latest updateMay 24

Description

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages10 packages

▶NVDredhat/wildfly_elytron1.11.0 — 1.15.5+2

▶Mavenorg.wildfly.security:wildfly-elytron1.11.0 — 1.15.5+2

▶CVEListV5wildfly-elytronWildfly Elytron 1.10.14.Final, Wildfly Elytron 1.15.5.Final, Wildfly Elytron 1.16.1.Final

▶NVDquarkus/quarkus2.1.4

▶NVDredhat/data_grid8.0

🔴Vulnerability Details

OSV

Observable Discrepancy in Wildfly Elytron↗2022-05-24

▶

GHSA

Observable Discrepancy in Wildfly Elytron↗2022-05-24

▶

CVEList

CVE-2021-3642: A flaw was found in Wildfly Elytron in versions prior to 1↗2021-08-05

▶

📋Vendor Advisories

Red Hat

wildfly-elytron: possible timing attack in ScramServer↗2021-06-30

▶