Wildfly-elytron possibly vulnerable to timing attacks via use of unsafe comparator
High severity
GitHub Reviewed
Published
Jan 13, 2023
to the GitHub Advisory Database
•
Updated Jan 25, 2023
Package
Affected versions
< 1.15.15.Final
>= 1.16.0.CR1, < 1.20.3.Final
Patched versions
1.15.15.Final
1.20.3.Final
Description
Published by the National Vulnerability Database
Jan 13, 2023
Published to the GitHub Advisory Database
Jan 13, 2023
Reviewed
Jan 13, 2023
Last updated
Jan 25, 2023
wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses
java.util.Arrays.equalsin several places, which is unsafe and vulnerable to timing attacks. To compare values securely, usejava.security.MessageDigest.isEqualinstead. This flaw allows an attacker to access secure information or impersonate an authed user.References