CVE-2022-3143 — HIGH (7.4) — White Hats Nepal

Vulnerability Description

wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.

CVSS Score

7.4

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Redhat	Wildfly Elytron	1.15.15
Redhat	Jboss Enterprise Application Platform	7.0.0

Related Weaknesses (CWE)

CWE-203

References

https://access.redhat.com/security/cve/CVE-2022-3143Vendor Advisory
https://access.redhat.com/security/cve/CVE-2022-3143Vendor Advisory

FAQ

What is CVE-2022-3143?

CVE-2022-3143 is a vulnerability with a CVSS score of 7.4 (HIGH). wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerab...

How severe is CVE-2022-3143?

CVE-2022-3143 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-3143?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Wildfly Elytron, Redhat Jboss Enterprise Application Platform.