CVE-2017-3156 – org.apache.cxf.karaf:apache-cxf

Package

Manager: maven
Name: org.apache.cxf.karaf:apache-cxf
Vulnerable Version: >=0 <3.0.13 || >=3.1.0 <3.1.10

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.1307 pctl0.93849

Details

Covert Timing Channel in Apache CXF The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.

Metadata

Created: 2022-05-13T01:09:21Z
Modified: 2023-12-21T23:03:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qc2p-q7x9-v64p/GHSA-qc2p-q7x9-v64p.json
CWE IDs: ["CWE-385"]
Alternative ID: GHSA-qc2p-q7x9-v64p
Finding: F115
Auto approve: 1