-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.ongres.scram:scram-common | maven | < 3.2 | 3.2 |
Miggo AIRoot Cause AnalysisThe vulnerability is a timing side-channel attack in the SCRAM authentication mechanism. The root cause is the use of java.util.Arrays.equals for comparing cryptographic secrets (client proofs and server signatures). Arrays.equals performs a byte-by-byte comparison and returns false as soon as a mismatch is found. This means the execution time of the comparison depends on the number of matching bytes from the beginning of the arrays. An attacker can exploit this by sending multiple authentication requests with slightly different proofs/signatures and measuring the server's response time. By carefully analyzing the timing differences, the attacker can incrementally reconstruct the secret values byte by byte. The patch replaces the vulnerable Arrays.equals with java.security.MessageDigest.isEqual, which is a constant-time comparison function specifically designed to prevent timing attacks. The functions verifyClientProof and verifyServerSignature in com.ongres.scram.common.ScramFunctions were identified as vulnerable because they directly used Arrays.equals for these sensitive comparisons, as shown in the commit f04975680d4a67bc84cc6c61bbffd5186223e2e2.
JavaJavaOngoing coverage of React2Shell