VYPR

Maven package

org.apache.ws.security/wss4j

pkg:maven/org.apache.ws.security/wss4j

Vulnerabilities (4)

  • CVE-2011-2487Mar 11, 2020
    affected < 1.6.5fixed 1.6.5

    The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack.

  • CVE-2015-0226HigOct 30, 2017
    affected < 1.6.17fixed 1.6.17

    Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages.

  • CVE-2015-0227Feb 12, 2015
    affected < 1.6.17fixed 1.6.17

    Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."

  • CVE-2014-3623Oct 30, 2014
    affected < 1.6.17fixed 1.6.17

    Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing atta