VYPR

Maven package

com.oviva.telematik/epa4all-client

pkg:maven/com.oviva.telematik/epa4all-client

Vulnerabilities (3)

  • CVE-2026-45574HigMay 26, 2026
    affected < 1.2.2fixed 1.2.2

    epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.2, an attacker on the network path between the ePA service and the Konnektor can present any TLS certificate (self-signed, expired, wrong CN) and intercept all SOAP traffic. This

  • CVE-2026-44900HigMay 26, 2026
    affected < 1.2.1fixed 1.2.1

    epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.1, in SignedPublicKeysTrustValidatorImpl.isTrusted(), the ECDSA signature verification at line 45 discards the boolean return value of Signature.verify(). The method performs cer

  • CVE-2026-45575HigMay 26, 2026
    affected < 1.2.2fixed 1.2.2

    epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.2, an attacker who can MITM the TLS connection between the client and the IDP (within the TI network) can substitute a forged discovery document. The forged document redirects uri