CVE-2019-10071
Timing attack on HMAC signature comparison in Apache Tapestry
9.8
CRITICAL
CVSS 3.1
EPSS 9.8%
Description
The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their payload. The comparison should be done with a constant time algorithm instead.
How to fix CVE-2019-10071
To remediate CVE-2019-10071, upgrade the affected package to a fixed version below.
- —upgrade to 5.4.5 or later
Is CVE-2019-10071 being exploited?
Moderate — EPSS is 9.8%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- >= 5.4, < 5.4.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |