CVE-2022-3143

EPSS 0.2%
Veröffentlicht 13.01.2023 06:15:11
Zuletzt bearbeitet 09.04.2025 14:15:23
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Redhat ≫ Wildfly Elytron Version1.15.15

Redhat ≫ Jboss Enterprise Application Platform Version7.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.2%	0.423

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.4	2.2	5.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.4	2.2	5.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

https://access.redhat.com/security/cve/CVE-2022-3143

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-3143

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-3143

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-3143

EUVD