Home > Vulnerability Database > CVE-2022-3143

Mend.io Vulnerability Database

CVE-2022-3143

Good to know:

Date: January 11, 2023

wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.

Language: Java

Severity Score

7.4

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-3143

Url: https://bugzilla.redhat.com/show_bug.cgi?id=2124682

Url: https://access.redhat.com/security/cve/CVE-2022-3143

Url: https://github.com/wildfly-security/wildfly-elytron

Url: https://www.mend.io/vulnerability-database/CVE-2022-3143

Severity Score

7.4

Weakness Type (CWE)

Observable Discrepancy

CWE-203

Observable Timing Discrepancy

CWE-208

Top Fix

Upgrade Version

Upgrade to version org.wildfly.security:wildfly-elytron:1.20.3.Final;org.wildfly.security:wildfly-elytron:1.15.15.Final;org.wildfly.security:wildfly-elytron:1.15.15.Final

Learn More

CVSS v3.1

Base Score:	7.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-3143

Good to know:

Date: January 11, 2023

Language: Java

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?