Vulnerabilities > CVE-2022-3143 - Information Exposure Through Discrepancy vulnerability in Redhat products

CVSS 7.4 - HIGH

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

NONE

network

high complexity

redhat

CWE-203

NVD

Published: 2023-01-13

Updated: 2023-01-25

Summary

wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.

Vulnerable Configurations

Part	Description	Count
Application	Redhat Redhat Wildfly Elytron 1.15.15 Redhat Jboss Enterprise Application Platform 7.0.0	2

Common Weakness Enumeration (CWE)

CWE-203 - Information Exposure Through Discrepancy

References

https://access.redhat.com/security/cve/CVE-2022-3143