GHSA-3wfh-36rx-9537
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3wfh-36rx-9537
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-3wfh-36rx-9537/GHSA-3wfh-36rx-9537.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3wfh-36rx-9537
- Aliases
- Published
- 2025-09-16T22:20:08Z
- Modified
- 2025-09-22T22:39:42.731036Z
- Severity
-
- 6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Summary
- Timing Attack Vulnerability in SCRAM Authentication
- Details
-
Impact
A timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because
Arrays.equalswas used to compare secret values such as client proofs and server signatures. SinceArrays.equalsperforms a short-circuit comparison, the execution time varies depending on how many leading bytes match. This behavior could allow an attacker to perform a timing side-channel attack and potentially infer sensitive authentication material. All users relying on SCRAM authentication are impacted.Patches
This vulnerability has been patched by replacing
Arrays.equalswithMessageDigest.isEqual, which ensures constant-time comparison.Users should upgrade to version 3.2 or later to mitigate this issue.
Workarounds
Because the attack requires high precision and repeated attempts, the risk is limited, but the only reliable mitigation is to upgrade to a patched release (version 3.2 or later).
References
- Database specific
{ "github_reviewed": true, "severity": "MODERATE", "cwe_ids": [ "CWE-208", "CWE-385" ], "nvd_published_at": "2025-09-22T20:15:38Z", "github_reviewed_at": "2025-09-16T22:20:08Z" }- References
-
- https://github.com/ongres/scram/security/advisories/GHSA-3wfh-36rx-9537
- https://nvd.nist.gov/vuln/detail/CVE-2025-59432
- https://github.com/ongres/scram/commit/f04975680d4a67bc84cc6c61bbffd5186223e2e2
- https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/MessageDigest.html#isEqual(byte%5B%5D,byte%5B%5D)
- https://github.com/ongres/scram
Affected packages
Maven / com.ongres.scram:scram-common
Package
- Name
- com.ongres.scram:scram-common
- View open source insights on deps.dev
- Purl
- pkg:maven/com.ongres.scram/scram-common