CVE-2022-3143

CVSS 7.4 HIGHEPSS 0.6%CWE-203

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.4EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

11 Jan 2023Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products

redhat.com · Wildfly-elytron

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://access.redhat.com/security/cve/CVE-2022-3143