Vulnerability in Apache Wss4j
CVE-2011-2487
The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack.
EPSS: 0.005 (66.0th percentile) — read the EPSS interpretation.
Affected products
- Apache Wss4j — versions before 1.6.5
- Red Hat Jbossws — versions unknown
Public proof-of-concept exploits
References
- bugzilla.redhat.com/show_bug.cgi (x_refsource_MISC)
- www.nds.ruhr-uni-bochum.de/research/publications/breaking-xml-encryption-pkcs15/ (x_refsource_MISC)
- cxf.apache.org/note-on-cve-2011-2487.html (x_refsource_MISC)
- rhn.redhat.com/errata/RHSA-2013-0191.html (x_refsource_MISC)
- rhn.redhat.com/errata/RHSA-2013-0192.html (x_refsource_MISC)
- rhn.redhat.com/errata/RHSA-2013-0193.html (x_refsource_MISC)
- rhn.redhat.com/errata/RHSA-2013-0194.html (x_refsource_MISC)
- rhn.redhat.com/errata/RHSA-2013-0195.html (x_refsource_MISC)
- rhn.redhat.com/errata/RHSA-2013-0196.html (x_refsource_MISC)
- rhn.redhat.com/errata/RHSA-2013-0198.html (x_refsource_MISC)
Frequently asked questions
- What is CVE-2011-2487?
- CVE-2011-2487 is a vulnerability in Apache Wss4j. Published 2020-03-11.
- Is CVE-2011-2487 known to be exploited?
- 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.