GHSA-qc2p-q7x9-v64p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qc2p-q7x9-v64p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qc2p-q7x9-v64p/GHSA-qc2p-q7x9-v64p.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-qc2p-q7x9-v64p
- Aliases
- Published
- 2022-05-13T01:09:21Z
- Modified
- 2024-02-22T05:29:13.195723Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Covert Timing Channel in Apache CXF
- Details
-
The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.
- Database specific
{ "nvd_published_at": "2017-08-10T18:29:00Z", "github_reviewed_at": "2022-07-01T17:33:35Z", "cwe_ids": [ "CWE-385" ], "github_reviewed": true, "severity": "HIGH" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-3156
- https://github.com/apache/cxf/commit/1338469
- https://github.com/apache/cxf/commit/555843f
- https://access.redhat.com/errata/RHSA-2017:1832
- https://github.com/apache/cxf
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
- http://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc
Affected packages
Maven / org.apache.cxf.karaf:apache-cxf
Package
- Name
- org.apache.cxf.karaf:apache-cxf
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.cxf.karaf/apache-cxf
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.0.13
Affected versions
2.*
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.3.10
2.3.11
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.4.10
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.5.1
2.5.6
2.5.7
2.5.8
2.5.9
2.5.10
2.5.11
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.6.1
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.6.12
2.6.13
2.6.14
2.6.15
2.6.16
2.6.17
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.10
2.7.11
2.7.12
2.7.13
2.7.14
2.7.15
2.7.16
2.7.17
2.7.18
3.*
3.0.0-milestone1
3.0.0-milestone2
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
Maven / org.apache.cxf.karaf:apache-cxf
Package
- Name
- org.apache.cxf.karaf:apache-cxf
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.cxf.karaf/apache-cxf