Package Instance

Wildfly-elytron possibly vulnerable to timing attacks via use of unsafe comparator
wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses `java.util.Arrays.equals` in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use `java.security.MessageDigest.isEqual` instead. This flaw allows an attacker to access secure information or impersonate an authed user.

WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack
### Impact

A vulnerability was found in OIDC-Client. When using the elytron-oidc-client subsystem with WildFly, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.

### Patches

[2.2.9.Final](https://github.com/wildfly-security/wildfly-elytron/releases/tag/2.2.9.Final)
[2.6.2.Final](https://github.com/wildfly-security/wildfly-elytron/releases/tag/2.6.2.Final)

### Workarounds

Currently, no mitigation is currently available for this vulnerability.

### References

https://nvd.nist.gov/vuln/detail/CVE-2024-12369
https://access.redhat.com/security/cve/CVE-2024-12369	
https://bugzilla.redhat.com/show_bug.cgi?id=2331178
https://issues.redhat.com/browse/ELY-2887