CVE-2022-3143

CVSS v3.1

7.4

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Wildfly-elytron (affected versions not specified)

Description A flaw was found in Wildfly-elytron, where it uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. This allows an attacker to access secure information or impersonate an authenticated user. To compare values securely, java.security.MessageDigest.isEqual should be used instead.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider replacing java.util.Arrays.equals with java.security.MessageDigest.isEqual to securely compare values and minimize the risk of exploitation.

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-203CWE-208

Related Identifiers

CVE-2022-3143

GHSA-JMJ6-P2J9-68CP

RHSA-2023:0552

RHSA-2023:0553

RHSA-2023:0554

RHSA-2025:9582

RHSA-2025:9583

Affected Products

Wildfly Elytron

CVE-2022-3143

Weakness Enumeration

Related Identifiers

Affected Products

References · 7