org.wildfly.security:wildfly-elytron 1.1.0.CR1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.wildfly.security:wildfly-elytron package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Timing Attack org.wildfly.security:wildfly-elytron is a new WildFly sub-project which is completely replacing the combination of PicketBox and JAAS as the WildFly client and server security mechanism. Affected versions of this package are vulnerable to Timing Attack. Currently `org.wildfly.security.mechanism.scram.ScramServer` uses simple byte comparison to verify the message nonce and client proof. Simple byte comparison returns on the first mismatch and is therefore susceptible to timing attacks. How to fix Timing Attack? Upgrade `org.wildfly.security:wildfly-elytron` to version 1.10.4.Final, 1.15.6.Final, 1.16.1.Final or higher.	[,1.10.4.Final)[1.15.0.CR1,1.15.6.Final)[1.16.0.CR1,1.16.1.Final)
M Access Restriction Bypass org.wildfly.security:wildfly-elytron is a new WildFly sub-project which is completely replacing the combination of PicketBox and JAAS as the WildFly client and server security mechanism. Affected versions of this package are vulnerable to Access Restriction Bypass. The WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources. How to fix Access Restriction Bypass? Upgrade `org.wildfly.security:wildfly-elytron` to version 1.6.8.Final or higher.	[,1.6.8.Final)
H Session Fixation org.wildfly.security:wildfly-elytron is a new WildFly sub-project which is completely replacing the combination of PicketBox and JAAS as the WildFly client and server security mechanism. Affected versions of this package are vulnerable to Session Fixation. When using `FORM` authentication with a session ID in the URL, an attacker could perform a session fixation attack. How to fix Session Fixation? Upgrade `org.wildfly.security:wildfly-elytron` to version 1.11.4.Final or higher.	[,1.11.4.Final)

Vulnerability

Vulnerable Version

Timing Attack

org.wildfly.security:wildfly-elytron is a new WildFly sub-project which is completely replacing the combination of PicketBox and JAAS as the WildFly client and server security mechanism.

Affected versions of this package are vulnerable to Timing Attack. Currently org.wildfly.security.mechanism.scram.ScramServer uses simple byte comparison to verify the message nonce and client proof. Simple byte comparison returns on the first mismatch and is therefore susceptible to timing attacks.

How to fix Timing Attack?

Upgrade org.wildfly.security:wildfly-elytron to version 1.10.4.Final, 1.15.6.Final, 1.16.1.Final or higher.

[,1.10.4.Final)[1.15.0.CR1,1.15.6.Final)[1.16.0.CR1,1.16.1.Final)

Access Restriction Bypass

org.wildfly.security:wildfly-elytron is a new WildFly sub-project which is completely replacing the combination of PicketBox and JAAS as the WildFly client and server security mechanism.

Affected versions of this package are vulnerable to Access Restriction Bypass. The WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources.

How to fix Access Restriction Bypass?

Upgrade org.wildfly.security:wildfly-elytron to version 1.6.8.Final or higher.

[,1.6.8.Final)

Session Fixation

org.wildfly.security:wildfly-elytron is a new WildFly sub-project which is completely replacing the combination of PicketBox and JAAS as the WildFly client and server security mechanism.

Affected versions of this package are vulnerable to Session Fixation. When using FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack.

How to fix Session Fixation?

Upgrade org.wildfly.security:wildfly-elytron to version 1.11.4.Final or higher.

[,1.11.4.Final)

org.wildfly.security:wildfly-elytron@1.1.0.CR1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?