CVSS: 7.8EPSS: 4%CPEs: 5EXPL: 0CVE-2015-0226 – wss4j: Apache WSS4J is vulnerable to Bleichenbacher's attack (incomplete fix for CVE-2011-2487)
https://notcve.org/view.php?id=CVE-2015-0226
01 Apr 2015 — Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487. Apache WSS4J versiones anteriores a 1.6.17 y versiones 2.0.x anteriores a 2.0.2, filtra información inapropiadamente sobre fallos de descifrado cuando ... • http://rhn.redhat.com/errata/RHSA-2015-0846.html • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 5.3EPSS: 17%CPEs: 4EXPL: 0CVE-2015-0227 – wss4j: Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property
https://notcve.org/view.php?id=CVE-2015-0227
12 Feb 2015 — Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks." Apache WSS4J anterior a 1.6.17 y 2.x anterior a 2.0.2 permite a atacantes remotos evadir la configuración requireSignedEncryptedDataElements a través de vectores relacionados con ataques envolventes (wrapping attacks). It was found that Apache WSS4J permitted bypass of the requireSignedEncryptedDataElements configuration property ... • http://rhn.redhat.com/errata/RHSA-2015-0773.html • CWE-264: Permissions, Privileges, and Access Controls CWE-358: Improperly Implemented Security Check for Standard •
CVSS: 5.3EPSS: 1%CPEs: 4EXPL: 0CVE-2014-3623 – CXF: Improper security semantics enforcement of SAML SubjectConfirmation methods
https://notcve.org/view.php?id=CVE-2014-3623
30 Oct 2014 — Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors. Apache WSS4J anterior a versión 1.6.17 y versiones 2.x anteriores a 2.0.2, tal y como es usado en Apache CXF versiones 2.7.x anteriores a 2.7.13 y versiones 3.0.x anteriores a 3.0.2, cuando se usa Transp... • http://rhn.redhat.com/errata/RHSA-2015-0236.html • CWE-287: Improper Authentication CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.8EPSS: 0%CPEs: 12EXPL: 0CVE-2011-2487 – jbossws: Prone to Bleichenbacher attack against to be distributed symmetric key
https://notcve.org/view.php?id=CVE-2011-2487
18 Jun 2013 — The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack. Las implementaciones del mecanismo de transporte de claves PKCS#1 versión v1.5 para XMLEncryption en JBossWS y Apache WSS4J versiones anteriores a 1.6.5, son susceptibles a un ataque de tipo Bleichenbacher A flaw was found in JBoss web services where the services used a weak symmetric encryption protocol, PKCS#1 v1.5. An attacker could use this weak... • http://cxf.apache.org/note-on-cve-2011-2487.html • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •