Maven package
org.apache.ws.security/wss4j
pkg:maven/org.apache.ws.security/wss4j
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2011-2487 | — | < 1.6.5 | 1.6.5 | Mar 11, 2020 | The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack. | ||
| CVE-2015-0226 | Hig | 7.5 | < 1.6.17 | 1.6.17 | Oct 30, 2017 | Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. | |
| CVE-2015-0227 | — | < 1.6.17 | 1.6.17 | Feb 12, 2015 | Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks." | ||
| CVE-2014-3623 | — | < 1.6.17 | 1.6.17 | Oct 30, 2014 | Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing atta |
- CVE-2011-2487Mar 11, 2020affected < 1.6.5fixed 1.6.5
The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack.
- affected < 1.6.17fixed 1.6.17
Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages.
- CVE-2015-0227Feb 12, 2015affected < 1.6.17fixed 1.6.17
Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."
- CVE-2014-3623Oct 30, 2014affected < 1.6.17fixed 1.6.17
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing atta