Description

The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their payload. The comparison should be done with a constant time algorithm instead.

Remediation

References

https://lists.apache.org/thread.html/6e8f42c88da7be3c60aafe3f6a85eb00b4f8b444de26b38d36233a43%40%3Cusers.tapestry.apache.org%3E

https://lists.apache.org/thread.html/7a437dad5af7309aba4d01bfc2463b3ac34e6aafaa565381d3a36460%40%3Cusers.tapestry.apache.org%3E

https://lists.apache.org/thread.html/bac8d6f9e1b4059b319d9cba6f33219a99b81623476ec896138f851c%40%3Cusers.tapestry.apache.org%3E

https://lists.apache.org/thread.html/r7d9c54beb1dc97dcccc58d9b5d31f0f7166f9a25ad1beba5f8091e0c%40%3Ccommits.tapestry.apache.org%3E

https://lists.apache.org/thread.html/r87523dd07886223aa086edc25fe9b8ddb9c1090f7db25b068dc30843%40%3Ccommits.tapestry.apache.org%3E

Related Vulnerabilities

CVE-2022-3143 Vulnerability in maven package org.wildfly.security:wildfly-elytron-x500

CVE-2020-26939 Vulnerability in maven package org.bouncycastle:bcprov-ext-jdk15on

CVE-2017-13098 Vulnerability in maven package com.madgag.spongycastle:bctls-jdk15on

CVE-2022-31142 Vulnerability in npm package @fastify/bearer-auth

CVE-2022-43411 Vulnerability in maven package org.jenkins-ci.plugins:gitlab-plugin

Severity

Critical

Classification

CWE-203 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H