VYPR

Wss4j

by Apache

Source repositories

CVEs (4)

  • CVE-2015-0226HigOct 30, 2017
    risk 0.42cvss 7.5epss 0.06

    Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted…

  • CVE-2015-0227Feb 12, 2015
    risk 0.01cvss epss 0.08

    Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."

  • CVE-2014-3623Oct 30, 2014
    risk 0.01cvss epss 0.09

    Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing…

  • CVE-2011-2487Mar 11, 2020
    risk 0.00cvss epss 0.02

    The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack.