GHSA-3wfh-36rx-9537: 
Java vulnerability analysis and mitigation

A timing attack vulnerability (GHSA-3wfh-36rx-9537) was discovered in the SCRAM Java implementation affecting versions prior to 3.2 of com.ongres.scram:scram-common package. The vulnerability was disclosed and patched on September 16, 2025. The issue stems from the usage of Arrays.equals for comparing secret values such as client proofs and server signatures during SCRAM authentication (GitHub Advisory).

The vulnerability arises because Arrays.equals performs a short-circuit comparison, where the execution time varies depending on how many leading bytes match. This timing discrepancy creates a side-channel that could potentially leak information about the secret values being compared. The issue has been assigned a CVSS score of 6.6 (Moderate severity) with attack vector being Network, attack complexity Low, and requiring no privileges or user interaction. The vulnerability is classified under CWE-208 (Observable Timing Discrepancy) and CWE-385 (Covert Timing Channel) (GitHub Advisory).

The vulnerability impacts all users relying on SCRAM authentication. A successful exploitation could potentially allow an attacker to infer sensitive authentication material through timing analysis. The vulnerability affects the confidentiality of the vulnerable system with a High impact rating, while integrity and availability remain unaffected (GitHub Advisory).

The vulnerability has been patched in version 3.2 by replacing Arrays.equals with MessageDigest.isEqual, which ensures constant-time comparison. Users should upgrade to version 3.2 or later to mitigate this issue. While the attack requires high precision and repeated attempts, limiting the risk, the only reliable mitigation is to upgrade to a patched release (GitHub Advisory).