CVE-2021-3642

Name of the Vulnerable Software and Affected Versions Wildfly Elytron versions prior to 1.10.14.Final Wildfly Elytron versions prior to 1.15.5.Final Wildfly Elytron versions prior to 1.16.1.Final

Description A flaw was found in Wildfly Elytron where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this issue is confidentiality. This flaw is related to the implementation of the ScramServer class, which may lead to information disclosure due to inconsistency. Exploitation of this issue may allow a remote attacker to gain unauthorized access to protected information.

Recommendations For versions prior to 1.10.14.Final, update to version 1.10.14.Final or later. For versions prior to 1.15.5.Final, update to version 1.15.5.Final or later. For versions prior to 1.16.1.Final, update to version 1.16.1.Final or later. As a temporary workaround, consider disabling the ScramServer feature until a patch is available.