Dennis Kupser

**Name of the Vulnerable Software and Affected Versions** Apache WSS4J versions prior to 1.6.17 Apache WSS4J versions 2.0.x prior to 2.0.2 **Description** The issue allows remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages, due to improper information leakage about decryption failures when decrypting an encrypted key or message data. **Recommendations** For Apache WSS4J versions prior to 1.6.17, update to version 1.6.17 or later. For Apache WSS4J versions 2.0.x prior to 2.0.2, update to version 2.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** Apache WSS4J versions 1.6.16 and earlier, 2.x versions prior to 2.0.2 **Description** The issue allows remote attackers to bypass the `requireSignedEncryptedDataElements` configuration through vectors related to "wrapping attacks". This enables attackers to evade security measures. **Recommendations** For Apache WSS4J versions 1.6.16 and earlier, update to version 1.6.17 or later. For Apache WSS4J 2.x versions prior to 2.0.2, update to version 2.0.2 or later.