CVE-2022-3143

Опубликовано: 13 янв. 2023

Источник: nvd

CVSS3: 7.4

EPSS Низкий

Описание

wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.

Ссылки

https://access.redhat.com/security/cve/CVE-2022-3143
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2022-3143
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:redhat:wildfly_elytron:1.15.15:*:*:*:*:*:*:*

Конфигурация 2

cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*

EPSS

Процентиль: 65%

0.00499

Низкий

7.4 High

CVSS3

Дефекты

CWE-203

Связанные уязвимости

CVE-2022-3143

CVSS3: 7.4

redhat

больше 3 лет назад

GHSA-jmj6-p2j9-68cp

CVSS3: 7.4

github

около 3 лет назад

Wildfly-elytron possibly vulnerable to timing attacks via use of unsafe comparator

EPSS

Процентиль: 65%

0.00499

Низкий

7.4 High

CVSS3

Дефекты

CWE-203