Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS12andjLTVoZmgtMnZ2Nc4AATTs

Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J

Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.

Permalink: https://github.com/advisories/GHSA-vjwc-5hfh-2vv5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12andjLTVoZmgtMnZ2Nc4AATTs
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 3 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-vjwc-5hfh-2vv5, CVE-2015-0226
References:

• https://nvd.nist.gov/vuln/detail/CVE-2015-0226
• https://access.redhat.com/errata/RHSA-2016:1376
• https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03900en_us
• https://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc
• https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
• http://rhn.redhat.com/errata/RHSA-2015-0846.html
• http://rhn.redhat.com/errata/RHSA-2015-0847.html
• http://rhn.redhat.com/errata/RHSA-2015-0848.html
• http://rhn.redhat.com/errata/RHSA-2015-0849.html
• http://rhn.redhat.com/errata/RHSA-2015-1176.html
• http://rhn.redhat.com/errata/RHSA-2015-1177.html
• https://github.com/apache/ws-wss4j/commit/970b3e3756e2c75bf2379ce198365e1a7168c3c3
• https://github.com/apache/ws-wss4j/commit/de5104b30ddde5fe7388ad57e1c5ace5c5509924
• https://svn.apache.org/viewvc?view=revision&revision=1621329
• https://github.com/advisories/GHSA-vjwc-5hfh-2vv5

Repository: https://github.com/apache/ws-wss4j
Blast Radius: 23.4

Affected Packages