PT-2012-1858 · Red Hat+2 · Red Hat Jboss Enterprise Application Platform+2

David Jorm

Published

2012-01-27

Updated

2022-05-17

CVE-2011-4314

CVSS v2.0

5.8

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:P

Name of the Vulnerable Software and Affected Versions OpenID4Java versions prior to 0.9.6 final JBoss Enterprise Application Platform versions prior to 5.1.2 Kay Framework versions prior to 1.0.2

Description The issue allows remote attackers to modify potentially sensitive Attribute Exchange (AX) information without detection via a man-in-the-middle (MITM) attack, as the message/ax/AxMessage.java in OpenID4Java does not verify that AX information is signed.

Recommendations For OpenID4Java versions prior to 0.9.6 final, update to version 0.9.6 final or later. For JBoss Enterprise Application Platform versions prior to 5.1.2, update to version 5.1.2 or later. For Kay Framework versions prior to 1.0.2, update to version 1.0.2 or later.

Fix

RCE

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-345

Related Identifiers

CVE-2011-4314

GHSA-J473-C3RR-RX9P

RHSA-2011:1798

RHSA-2011:1799

RHSA-2011:1800

RHSA-2011:1802

RHSA-2011:1803

RHSA-2011:1804

Affected Products

Red Hat Jboss Enterprise Application Platform

Kay Framework

Openid4Java

PT-2012-1858 · Red Hat+2 · Red Hat Jboss Enterprise Application Platform+2

CVE-2011-4314

Weakness Enumeration

Related Identifiers

Affected Products

References · 20