CVE-2021-3642

Aliases:GHSA-5499-qjvh-6j7w

Advisory lineage Upstream: 0 Downstream: 5

Downstream

RHSA-2021:3656 RHSA-2021:3658 RHSA-2021:5149 RHSA-2021:5150 RHSA-2021:5151

Modified

Published: 05 Aug 2021, 20:48

Last modified:03 Aug 2024, 17:01

Vulnerability Summary

Overall Risk (default)

low

21/100

CVSS Score

5.3 MEDIUM

v3.1 (nvd)

EPSS Score

0.27% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

05 Aug 2021, 20:48

Published

Vulnerability first disclosed

03 Aug 2024, 17:01

Last Modified

Vulnerability information updated

Description

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.

CVSS Metrics

v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
v2.0•LOW•Score: 3.5AV:N/AC:M/Au:S/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 0.27%• Percentile: 50%

Techniques & Countermeasures

CWE-203•Observable Discrepancy
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

Affected Systems

org.wildfly.security•wildfly-elytron
< 1.10.14 | ≥ 1.11.0, < 1.15.5 | ≥ 1.16.0, < 1.16.1
quarkus•quarkus
≤ 2.1.4
redhat•build_of_quarkus
na
redhat•codeready_studio
12.0
redhat•data_grid
8.0
redhat•descision_manager
7.0
redhat•integration_camel_k
na
redhat•jboss_enterprise_application_platform
7.0.0
redhat•jboss_enterprise_application_platform_expansion_pack
na
redhat•jboss_fuse
7.0.0
redhat•openshift_application_runtimes
na
redhat•process_automation
7.0
redhat•wildfly_elytron
< 1.10.14 | ≥ 1.11.0, < 1.15.5 | ≥ 1.16.0, < 1.16.1