CVE-2022-3143 – wildfly-elytron: possible timing attacks via use of unsafe comparator
https://notcve.org/view.php?id=CVE-2022-3143
wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user. wildfly-elytron: posibles ataques de sincronización mediante el uso de un comparador inseguro. • https://access.redhat.com/security/cve/CVE-2022-3143 https://bugzilla.redhat.com/show_bug.cgi?id=2124682 • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •
CVE-2021-3642 – wildfly-elytron: possible timing attack in ScramServer
https://notcve.org/view.php?id=CVE-2021-3642
A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality. Se ha detectado un fallo en Wildfly Elytron en versiones anteriores a 1.10.14.Final, en versiones anteriores a la 1.15.5.Final y en versiones anteriores a la 1.16.1.Final donde ScramServer puede ser susceptible a Timing Attack si está habilitado. La mayor amenaza de esta vulnerabilidad es la confidencialidad. A flaw was found in Wildfly Elytron where ScramServer may be susceptible to Timing Attack if enabled. • https://bugzilla.redhat.com/show_bug.cgi?id=1981407 https://access.redhat.com/security/cve/CVE-2021-3642 • CWE-203: Observable Discrepancy •