Vulnerability Name: | CVE-2011-4314 (CCN-67361) | ||||||||
Assigned: | 2011-05-05 | ||||||||
Published: | 2011-05-05 | ||||||||
Updated: | 2013-02-15 | ||||||||
Summary: | message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack. | ||||||||
CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||
CVSS v2 Severity: | 5.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P) 4.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P/E:U/RL:OF/RC:C)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
| ||||||||
Vulnerability Type: | CWE-20 | ||||||||
Vulnerability Consequences: | Bypass Security | ||||||||
References: | Source: MITRE Type: CNA CVE-2011-4314 Source: CCN Type: OpenID Web Site Attribute Exchange Security Alert Source: CONFIRM Type: Patch, Vendor Advisory http://openid.net/2011/05/05/attribute-exchange-security-alert/ Source: CCN Type: RHSA-2011-1799 Low: JBoss Enterprise Application Platform 5.1.2 update Source: CCN Type: RHSA-2011-1800 Low: JBoss Enterprise Application Platform 5.1.2 update Source: REDHAT Type: UNKNOWN RHSA-2012:0441 Source: CCN Type: RHSA-2012-0519 Moderate: JBoss Enterprise Portal Platform 5.2.1 update Source: REDHAT Type: UNKNOWN RHSA-2012:0519 Source: CCN Type: SA44496 OpenID4Java Attribute Exchange Signatures Security Issue Source: SECUNIA Type: Vendor Advisory 44496 Source: SECUNIA Type: UNKNOWN 48697 Source: SECUNIA Type: UNKNOWN 48954 Source: SECTRACK Type: UNKNOWN 1026400 Source: CCN Type: IBM Security Bulletin 2015821 (Security QRadar SIEM) IBM QRadar SIEM contains vulnerable components and libraries. (CVE-2011-4314) Source: MLIST Type: UNKNOWN [oss-security] 20111116 CVE Request: openid4java not properly verifying the signature of Attribute Exchange (AX) information Source: MLIST Type: UNKNOWN [oss-security] 20111116 Re: CVE Request: openid4java not properly verifying the signature of Attribute Exchange (AX) information Source: CCN Type: OSVDB ID: 73737 OpenID4Java Attribute Exchange Signature Verification Failure AX Information Manipulation Source: REDHAT Type: UNKNOWN RHSA-2011:1804 Source: CCN Type: BID-47785 OpenID4Java Attribute Exchange Remote Security Bypass Vulnerability Source: XF Type: UNKNOWN openid4java-ax-security-bypass(67361) Source: CONFIRM Type: UNKNOWN https://issues.jboss.org/browse/JBEPP-1368 Source: CONFIRM Type: UNKNOWN https://issues.jboss.org/browse/SOA-3597 | ||||||||
Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||
BACK |