Описание
Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."
It was found that Apache WSS4J permitted bypass of the requireSignedEncryptedDataElements configuration property via XML Signature wrapping attacks. A remote attacker could use this flaw to modify the contents of a signed request.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | wss4j | Affected | ||
| Red Hat JBoss BRMS 5 | wss4j | Will not fix | ||
| Red Hat JBoss BRMS 6 | wss4j | Affected | ||
| Red Hat JBoss Data Virtualization 6 | wss4j | Affected | ||
| Red Hat JBoss Enterprise Application Platform 5 | wss4j | Will not fix | ||
| Red Hat JBoss Enterprise Web Server 1 | fuse-6 | Affected | ||
| Red Hat JBoss Enterprise Web Server 1 | fuse-esb-7 | Will not fix | ||
| Red Hat JBoss Fuse Service Works 6 | wss4j | Affected | ||
| Red Hat JBoss Operations Network 2 | wss4j | Not affected | ||
| Red Hat JBoss Operations Network 3 | wss4j | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
4 Medium
CVSS2
Связанные уязвимости
Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."
Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."
Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attacker ...
EPSS
4 Medium
CVSS2