CVE-2022-3143

Published: Jan 13, 2023Modified: Apr 9, 2025

7.4

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.2 / Impact: 5.2

Source: NVD

Description

wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.

Affected (2)

Products: Redhat: Wildfly Elytron, Jboss Enterprise Application Platform

2 products

Wildfly Elytron

Jboss Enterprise Application Platform

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Wildfly Elytron	Version 1.15.15

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Jboss Enterprise Application Platform	Version 7.0.0

Related CWEs

Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References (2)

https://access.redhat.com/security/cve/CVE-2022-3143

Source: secalert@redhat.com

Vendor Advisory

https://access.redhat.com/security/cve/CVE-2022-3143

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.