CVE-2022-3143

CWE-203 CWE-2085 documents5 sources

Severity

7.4HIGH

EPSS

0.5%

top 34.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat.com Wildfly-elytron Redhat Jboss Enterprise Application Platform Redhat Wildfly Elytron

Timeline

PublishedJan 13

Description

wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages4 packages

▶Mavenorg.wildfly.security:wildfly-elytron1.16.0.CR1 — 1.20.3.Final+1

▶CVEListV5redhat.com/wildfly-elytron1.15.15 — 1.15.15

▶NVDredhat/wildfly_elytron1.15.15

▶NVDredhat/jboss_enterprise_application_platform7.0.0

🔴Vulnerability Details

GHSA

Wildfly-elytron possibly vulnerable to timing attacks via use of unsafe comparator↗2023-01-13

▶

OSV

Wildfly-elytron possibly vulnerable to timing attacks via use of unsafe comparator↗2023-01-13

▶

CVEList

CVE-2022-3143: wildfly-elytron: possible timing attacks via use of unsafe comparator↗2023-01-11

▶

📋Vendor Advisories

Red Hat

wildfly-elytron: possible timing attacks via use of unsafe comparator↗2022-09-06

▶