CVSS: 7.8EPSS: 4%CPEs: 5EXPL: 0CVE-2015-0226 – wss4j: Apache WSS4J is vulnerable to Bleichenbacher's attack (incomplete fix for CVE-2011-2487)
https://notcve.org/view.php?id=CVE-2015-0226
01 Apr 2015 — Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487. Apache WSS4J versiones anteriores a 1.6.17 y versiones 2.0.x anteriores a 2.0.2, filtra información inapropiadamente sobre fallos de descifrado cuando ... • http://rhn.redhat.com/errata/RHSA-2015-0846.html • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 5.3EPSS: 17%CPEs: 4EXPL: 0CVE-2015-0227 – wss4j: Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property
https://notcve.org/view.php?id=CVE-2015-0227
12 Feb 2015 — Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks." Apache WSS4J anterior a 1.6.17 y 2.x anterior a 2.0.2 permite a atacantes remotos evadir la configuración requireSignedEncryptedDataElements a través de vectores relacionados con ataques envolventes (wrapping attacks). It was found that Apache WSS4J permitted bypass of the requireSignedEncryptedDataElements configuration property ... • http://rhn.redhat.com/errata/RHSA-2015-0773.html • CWE-264: Permissions, Privileges, and Access Controls CWE-358: Improperly Implemented Security Check for Standard •
CVSS: 5.3EPSS: 1%CPEs: 4EXPL: 0CVE-2014-3623 – CXF: Improper security semantics enforcement of SAML SubjectConfirmation methods
https://notcve.org/view.php?id=CVE-2014-3623
30 Oct 2014 — Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors. Apache WSS4J anterior a versión 1.6.17 y versiones 2.x anteriores a 2.0.2, tal y como es usado en Apache CXF versiones 2.7.x anteriores a 2.7.13 y versiones 3.0.x anteriores a 3.0.2, cuando se usa Transp... • http://rhn.redhat.com/errata/RHSA-2015-0236.html • CWE-287: Improper Authentication CWE-347: Improper Verification of Cryptographic Signature •