Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-3wfh-36rx-9537

GitHub Security Advisory

Timing Attack Vulnerability in SCRAM Authentication

✓ GitHub Reviewed MODERATE
View on GitHub

Advisory Details

### Impact

A timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because `Arrays.equals` was used to compare secret values such as client proofs and server signatures. Since `Arrays.equals` performs a short-circuit comparison, the execution time varies depending on how many leading bytes match. This behavior could allow an attacker to perform a timing side-channel attack and potentially infer sensitive authentication material. All users relying on SCRAM authentication are impacted.

### Patches

This vulnerability has been patched by replacing `Arrays.equals` with `MessageDigest.isEqual`, which ensures constant-time comparison.

Users should upgrade to version **3.2** or later to mitigate this issue.

### Workarounds

Because the attack requires high precision and repeated attempts, the risk is limited, but the only reliable mitigation is to upgrade to a patched release (version 3.2 or later).

### References

- [Java `MessageDigest.isEqual` Documentation](https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/MessageDigest.html#isEqual(byte[],byte[]))

Affected Packages

Maven com.ongres.scram:scram-common
Affected versions: 0 (fixed in 3.2)

Key Information

GHSA ID
GHSA-3wfh-36rx-9537
Published
September 16, 2025 10:20 PM
Last Modified
September 16, 2025 10:20 PM
CVSS Score
5.0 /10
Primary Ecosystem
Maven
Primary Package
com.ongres.scram:scram-common
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 18, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.