Description

The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their payload. The comparison should be done with a constant time algorithm instead.

Remediation

References

https://lists.apache.org/thread.html/6e8f42c88da7be3c60aafe3f6a85eb00b4f8b444de26b38d36233a43%40%3Cusers.tapestry.apache.org%3E

https://lists.apache.org/thread.html/7a437dad5af7309aba4d01bfc2463b3ac34e6aafaa565381d3a36460%40%3Cusers.tapestry.apache.org%3E

https://lists.apache.org/thread.html/bac8d6f9e1b4059b319d9cba6f33219a99b81623476ec896138f851c%40%3Cusers.tapestry.apache.org%3E

https://lists.apache.org/thread.html/r7d9c54beb1dc97dcccc58d9b5d31f0f7166f9a25ad1beba5f8091e0c%40%3Ccommits.tapestry.apache.org%3E

https://lists.apache.org/thread.html/r87523dd07886223aa086edc25fe9b8ddb9c1090f7db25b068dc30843%40%3Ccommits.tapestry.apache.org%3E

Related Vulnerabilities

CVE-2022-3143 Vulnerability in maven package org.wildfly.security:wildfly-elytron-password-impl

CVE-2020-26939 Vulnerability in maven package org.bouncycastle:bcprov-ext-jdk15on

CVE-2020-26939 Vulnerability in maven package org.bouncycastle:bcprov-jdk15on

CVE-2017-13098 Vulnerability in maven package org.bouncycastle:bctls-jdk15on

CVE-2022-43412 Vulnerability in maven package org.jenkins-ci.plugins:generic-webhook-trigger

Severity

Critical

Classification

CWE-203 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H