CNNVD-202509-3234 Information
CNNVD ID
CNNVD-202509-3234
Related CVE
- CNNVD Published: 2025-09-22
Description (Chinese)
SCRAM Java Implementation是OnGres Inc.开源的一个SCRAM的Java实现库。 SCRAM Java Implementation 3.2之前版本存在安全漏洞,该漏洞源于使用Arrays.equals进行敏感值比较,可能导致时序侧信道攻击。
Description (English)
SCRAM Java Implantation is a Java realization bank for SCRAM, an open source OnGres Inc. There was a security loophole in previous version 3.2 of SCRAM Java Implantation, which resulted from the use of Arrays.eqals for sensitive value comparisons, which could lead to a time-series channel attack.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
Opay
Published
2025-09-22
Last Modified
2026-02-24
References
https://github.com/ongres/scram/security/advisories/GHSA-3wfh-36rx-9537 [https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/MessageDigest.html#isEqual(byte%5B%5D](https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/security/MessageDigest.html#isEqual(byte%5B%5D) https://github.com/ongres/scram/commit/f04975680d4a67bc84cc6c61bbffd5186223e2e2 https://access.redhat.com/security/cve/cve-2025-59432 https://vigilance.fr/vulnerability/SCRAM-information-disclosure-via-Execution-Time-48709
Patch
https://github.com/ongres/scram/releases
Share on: