Vulnerability in Apache Wss4j
CVE-2015-0227
Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."
EPSS: 0.139 (94.4th percentile) — read the EPSS interpretation.
Affected products
- Apache Wss4j — versions 2.0.0, 2.0.1
- N/a — versions n/a
Weakness classification (CWE)
References
- RHSA-2015:0773 (x_refsource_REDHAT, vendor-advisory)
- apache-wss4j-sec-bypass(100837) (vdb-entry, x_refsource_XF)
- RHSA-2015:0849 (x_refsource_REDHAT, vendor-advisory)
- RHSA-2015:1176 (x_refsource_REDHAT, vendor-advisory)
- RHSA-2015:1177 (x_refsource_REDHAT, vendor-advisory)
- RHSA-2015:0848 (x_refsource_REDHAT, vendor-advisory)
- RHSA-2015:0846 (x_refsource_REDHAT, vendor-advisory)
- secalert@redhat.com (x_refsource_CONFIRM)
- secalert@redhat.com (x_refsource_CONFIRM, Patch, Vendor Advisory)
- 72557 (vdb-entry, x_refsource_BID)