Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-3642

Summary
Assigner-redhat
Assigner Org ID-53f830b8-0a3f-465b-8143-3b8a9948e749
Published At-05 Aug, 2021 | 20:48
Updated At-03 Aug, 2024 | 17:01
Rejected At-
Credits

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:redhat
Assigner Org ID:53f830b8-0a3f-465b-8143-3b8a9948e749
Published At:05 Aug, 2021 | 20:48
Updated At:03 Aug, 2024 | 17:01
Rejected At:
â–¼CVE Numbering Authority (CNA)

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.

Affected Products
Vendor
n/a
Product
wildfly-elytron
Versions
Affected
  • Wildfly Elytron 1.10.14.Final, Wildfly Elytron 1.15.5.Final, Wildfly Elytron 1.16.1.Final
Problem Types
TypeCWE IDDescription
CWECWE-203CWE-203
Type: CWE
CWE ID: CWE-203
Description: CWE-203
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://bugzilla.redhat.com/show_bug.cgi?id=1981407
x_refsource_MISC
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=1981407
Resource:
x_refsource_MISC
â–¼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://bugzilla.redhat.com/show_bug.cgi?id=1981407
x_refsource_MISC
x_transferred
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=1981407
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:secalert@redhat.com
Published At:05 Aug, 2021 | 21:15
Updated At:20 Oct, 2021 | 14:36

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary2.03.5LOW
AV:N/AC:M/Au:S/C:P/I:N/A:N
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Type: Primary
Version: 2.0
Base score: 3.5
Base severity: LOW
Vector:
AV:N/AC:M/Au:S/C:P/I:N/A:N
CPE Matches
Red Hat, Inc.
redhat
>>wildfly_elytron>>Versions before 1.10.14(exclusive)
cpe:2.3:a:redhat:wildfly_elytron:*:*:*:*:*:*:*:*
Red Hat, Inc.
redhat
>>wildfly_elytron>>Versions from 1.11.0(inclusive) to 1.15.5(exclusive)
cpe:2.3:a:redhat:wildfly_elytron:*:*:*:*:*:*:*:*
Red Hat, Inc.
redhat
>>wildfly_elytron>>Versions from 1.16.0(inclusive) to 1.16.1(exclusive)
cpe:2.3:a:redhat:wildfly_elytron:*:*:*:*:*:*:*:*
Red Hat, Inc.
redhat
>>build_of_quarkus>>-
cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*
Red Hat, Inc.
redhat
>>codeready_studio>>12.0
cpe:2.3:a:redhat:codeready_studio:12.0:*:*:*:*:*:*:*
Red Hat, Inc.
redhat
>>data_grid>>8.0
cpe:2.3:a:redhat:data_grid:8.0:*:*:*:*:*:*:*
Red Hat, Inc.
redhat
>>descision_manager>>7.0
cpe:2.3:a:redhat:descision_manager:7.0:*:*:*:*:*:*:*
Red Hat, Inc.
redhat
>>integration_camel_k>>-
cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*
Red Hat, Inc.
redhat
>>integration_camel_quarkus>>*
cpe:2.3:a:redhat:integration_camel_quarkus:*:*:*:*:*:*:*:*
Red Hat, Inc.
redhat
>>jboss_enterprise_application_platform>>7.0.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
Red Hat, Inc.
redhat
>>jboss_enterprise_application_platform_expansion_pack>>-
cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*
Red Hat, Inc.
redhat
>>jboss_fuse>>7.0.0
cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*
Red Hat, Inc.
redhat
>>openshift_application_runtimes>>-
cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*
Red Hat, Inc.
redhat
>>process_automation>>7.0
cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*
quarkus
quarkus
>>quarkus>>Versions up to 2.1.4(inclusive)
cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-203Primarysecalert@redhat.com
CWE-203Secondarynvd@nist.gov
CWE ID: CWE-203
Type: Primary
Source: secalert@redhat.com
CWE ID: CWE-203
Type: Secondary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://bugzilla.redhat.com/show_bug.cgi?id=1981407secalert@redhat.com
Issue Tracking
Vendor Advisory
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=1981407
Source: secalert@redhat.com
Resource:
Issue Tracking
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

57Records found
CVE-2019-13456
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.24% / 46.51%
||
7 Day CHG~0.00%
Published-03 Dec, 2019 | 19:53
Updated-04 Aug, 2024 | 23:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. This leaks information that an attacker can use to recover the password of any user. This information leakage is similar to the "Dragonblood" attack and CVE-2019-9494.

Action-Not Available
Vendor-n/aFreeRADIUSopenSUSERed Hat, Inc.Linux Kernel Organization, Inc
Product-freeradiusenterprise_linuxlinux_kernelleapn/a
CWE ID-CWE-203
Observable Discrepancy
CVE-2018-5407
Matching Score-6
Assigner-CERT/CC
ShareView Details
Matching Score-6
Assigner-CERT/CC
CVSS Score-4.7||MEDIUM
EPSS-0.64% / 70.14%
||
7 Day CHG~0.00%
Published-15 Nov, 2018 | 21:00
Updated-05 Aug, 2024 | 05:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.

Action-Not Available
Vendor-N/ACanonical Ltd.Debian GNU/LinuxNode.js (OpenJS Foundation)OpenSSLTenable, Inc.Oracle CorporationRed Hat, Inc.
Product-enterprise_linux_serverubuntu_linuxpeoplesoft_enterprise_peopletoolstuxedoenterprise_linux_server_eusopensslenterprise_linux_server_ausenterprise_manager_base_platformmysql_enterprise_backupnode.jsprimavera_p6_enterprise_project_portfolio_managementvm_virtualboxdebian_linuxenterprise_linux_workstationapplication_serverenterprise_linux_server_tusenterprise_manager_ops_centerenterprise_linux_desktopnessusapi_gatewayProcessors supporting Simultaneous Multi-Threading
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-203
Observable Discrepancy
CVE-2022-29185
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.2||MEDIUM
EPSS-0.36% / 57.70%
||
7 Day CHG~0.00%
Published-20 May, 2022 | 19:30
Updated-23 Apr, 2025 | 18:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Observable Timing Discrepancy in totp-rs

totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password (TOTP). Prior to version 1.1.0, token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The attacker would have to know the password beforehand nonetheless. Starting with patched version 1.1.0, the library uses constant-time comparison. There are currently no known workarounds.

Action-Not Available
Vendor-totp-rs_projectconstantoine
Product-totp-rstotp-rs
CWE ID-CWE-203
Observable Discrepancy
CWE ID-CWE-208
Observable Timing Discrepancy
CVE-2024-38322
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.12% / 31.32%
||
7 Day CHG~0.00%
Published-28 Jun, 2024 | 18:34
Updated-20 Aug, 2024 | 17:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Storage Defender information disclosure

IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.4 agent username and password error response discrepancy exposes product to brute force enumeration. IBM X-Force ID: 294869.

Action-Not Available
Vendor-IBM Corporation
Product-storage_defender_resiliency_serviceStorage Defender - Resiliency Service
CWE ID-CWE-204
Observable Response Discrepancy
CWE ID-CWE-203
Observable Discrepancy
CVE-2020-2102
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-5.3||MEDIUM
EPSS-1.52% / 80.93%
||
7 Day CHG~0.00%
Published-29 Jan, 2020 | 15:15
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC.

Action-Not Available
Vendor-Jenkins
Product-jenkinsJenkins
CWE ID-CWE-203
Observable Discrepancy
CVE-2020-10102
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.40% / 60.47%
||
7 Day CHG~0.00%
Published-05 Mar, 2020 | 00:37
Updated-04 Aug, 2024 | 10:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Zammad 3.0 through 3.2. The Forgot Password functionality is implemented in a way that would enable an anonymous user to guess valid user emails. In the current implementation, the application responds differently depending on whether the input supplied was recognized as associated with a valid user. This behavior could be used as part of a two-stage automated attack. During the first stage, an attacker would iterate through a list of account names to determine which correspond to valid accounts. During the second stage, the attacker would use a list of common passwords to attempt to brute force credentials for accounts that were recognized by the system in the first stage.

Action-Not Available
Vendor-zammadn/a
Product-zammadn/a
CWE ID-CWE-203
Observable Discrepancy
CVE-2020-2101
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-5.3||MEDIUM
EPSS-1.65% / 81.64%
||
7 Day CHG~0.00%
Published-29 Jan, 2020 | 15:15
Updated-04 Aug, 2024 | 07:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret.

Action-Not Available
Vendor-Jenkins
Product-jenkinsJenkins
CWE ID-CWE-203
Observable Discrepancy
  • Previous
  • 1
  • 2
  • Next
Details not found