// For flags

CVE-2015-0227

wss4j: Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property

Severity Score

5.0
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."

Apache WSS4J anterior a 1.6.17 y 2.x anterior a 2.0.2 permite a atacantes remotos evadir la configuración requireSignedEncryptedDataElements a través de vectores relacionados con ataques envolventes (wrapping attacks).

It was found that Apache WSS4J permitted bypass of the requireSignedEncryptedDataElements configuration property via XML Signature wrapping attacks. A remote attacker could use this flaw to modify the contents of a signed request.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
Attack Vector
Network
Attack Complexity
High
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2014-11-18 CVE Reserved
  • 2015-02-12 CVE Published
  • 2024-08-06 CVE Updated
  • 2024-09-24 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-264: Permissions, Privileges, and Access Controls
  • CWE-358: Improperly Implemented Security Check for Standard
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
Wss4j
Search vendor "Apache" for product "Wss4j"
<= 1.6.16
Search vendor "Apache" for product "Wss4j" and version " <= 1.6.16"
-
Affected
Apache
Search vendor "Apache"
Wss4j
Search vendor "Apache" for product "Wss4j"
2.0.0
Search vendor "Apache" for product "Wss4j" and version "2.0.0"
-
Affected
Apache
Search vendor "Apache"
Wss4j
Search vendor "Apache" for product "Wss4j"
2.0.0
Search vendor "Apache" for product "Wss4j" and version "2.0.0"
rc1
Affected
Apache
Search vendor "Apache"
Wss4j
Search vendor "Apache" for product "Wss4j"
2.0.1
Search vendor "Apache" for product "Wss4j" and version "2.0.1"
-
Affected