CVE-2011-4314
extension): MITM due to improper validation of AX attribute signatures
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.
message/ax/AxMessage.java en OpenID4Java antes v0.9.6 final, tal y como se utiliza en JBoss Enterprise Application Platform v5.1 antes de v5.1.2, Step2, Kay Framework antes de la versión v1.0.2, y posiblemente otros productos no verifica que la información de intercambio de atributos (Attribute Exchange - AX) ha sido firmada, lo que permite a atacantes remotos modificar la información AX potencialmente sensible sin ser detectado a través de un ataque "Man-in-the-middle" (MITM).
CVSS Scores
SSVC
- Decision:-
Timeline
- 2011-11-04 CVE Reserved
- 2011-12-08 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-07 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (14)
URL | Tag | Source |
---|---|---|
http://secunia.com/advisories/48697 | Third Party Advisory | |
http://secunia.com/advisories/48954 | Third Party Advisory | |
http://securitytracker.com/id?1026400 | Vdb Entry | |
http://www.openwall.com/lists/oss-security/2011/11/16/1 | Mailing List | |
http://www.openwall.com/lists/oss-security/2011/11/17/1 | Mailing List | |
https://issues.jboss.org/browse/JBEPP-1368 | X_refsource_confirm | |
https://issues.jboss.org/browse/SOA-3597 | X_refsource_confirm |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://openid.net/2011/05/05/attribute-exchange-security-alert | 2013-02-15 |
URL | Date | SRC |
---|---|---|
http://rhn.redhat.com/errata/RHSA-2012-0441.html | 2013-02-15 | |
http://rhn.redhat.com/errata/RHSA-2012-0519.html | 2013-02-15 | |
http://secunia.com/advisories/44496 | 2013-02-15 | |
http://www.redhat.com/support/errata/RHSA-2011-1804.html | 2013-02-15 | |
https://access.redhat.com/security/cve/CVE-2011-4314 | 2012-04-25 | |
https://bugzilla.redhat.com/show_bug.cgi?id=754386 | 2012-04-25 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Kay Framework Project Search vendor "Kay Framework Project" | Kay Framework Search vendor "Kay Framework Project" for product "Kay Framework" | <= 1.0.1 Search vendor "Kay Framework Project" for product "Kay Framework" and version " <= 1.0.1" | - |
Affected
| ||||||
Kay Framework Project Search vendor "Kay Framework Project" | Kay Framework Search vendor "Kay Framework Project" for product "Kay Framework" | 0.0.0 Search vendor "Kay Framework Project" for product "Kay Framework" and version "0.0.0" | - |
Affected
| ||||||
Kay Framework Project Search vendor "Kay Framework Project" | Kay Framework Search vendor "Kay Framework Project" for product "Kay Framework" | 0.1.0 Search vendor "Kay Framework Project" for product "Kay Framework" and version "0.1.0" | - |
Affected
| ||||||
Kay Framework Project Search vendor "Kay Framework Project" | Kay Framework Search vendor "Kay Framework Project" for product "Kay Framework" | 0.2.0 Search vendor "Kay Framework Project" for product "Kay Framework" and version "0.2.0" | - |
Affected
| ||||||
Kay Framework Project Search vendor "Kay Framework Project" | Kay Framework Search vendor "Kay Framework Project" for product "Kay Framework" | 0.3.0 Search vendor "Kay Framework Project" for product "Kay Framework" and version "0.3.0" | - |
Affected
| ||||||
Kay Framework Project Search vendor "Kay Framework Project" | Kay Framework Search vendor "Kay Framework Project" for product "Kay Framework" | 0.8.0 Search vendor "Kay Framework Project" for product "Kay Framework" and version "0.8.0" | - |
Affected
| ||||||
Kay Framework Project Search vendor "Kay Framework Project" | Kay Framework Search vendor "Kay Framework Project" for product "Kay Framework" | 1.0.0 Search vendor "Kay Framework Project" for product "Kay Framework" and version "1.0.0" | - |
Affected
| ||||||
Openid Search vendor "Openid" | Openid4java Search vendor "Openid" for product "Openid4java" | <= 0.9.5.593 Search vendor "Openid" for product "Openid4java" and version " <= 0.9.5.593" | - |
Affected
| ||||||
Openid Search vendor "Openid" | Openid4java Search vendor "Openid" for product "Openid4java" | 0.9.2 Search vendor "Openid" for product "Openid4java" and version "0.9.2" | - |
Affected
| ||||||
Openid Search vendor "Openid" | Openid4java Search vendor "Openid" for product "Openid4java" | 0.9.3 Search vendor "Openid" for product "Openid4java" and version "0.9.3" | - |
Affected
| ||||||
Openid Search vendor "Openid" | Openid4java Search vendor "Openid" for product "Openid4java" | 0.9.4.339 Search vendor "Openid" for product "Openid4java" and version "0.9.4.339" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 5.1.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.1.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 5.1.1 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.1.1" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 5.1.2 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.1.2" | - |
Affected
|