Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12andjLTVoZmgtMnZ2Nc4AATTs
Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J
Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.
Permalink: https://github.com/advisories/GHSA-vjwc-5hfh-2vv5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12andjLTVoZmgtMnZ2Nc4AATTs
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 3 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-vjwc-5hfh-2vv5, CVE-2015-0226
References:
- https://nvd.nist.gov/vuln/detail/CVE-2015-0226
- https://access.redhat.com/errata/RHSA-2016:1376
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03900en_us
- https://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- http://rhn.redhat.com/errata/RHSA-2015-0846.html
- http://rhn.redhat.com/errata/RHSA-2015-0847.html
- http://rhn.redhat.com/errata/RHSA-2015-0848.html
- http://rhn.redhat.com/errata/RHSA-2015-0849.html
- http://rhn.redhat.com/errata/RHSA-2015-1176.html
- http://rhn.redhat.com/errata/RHSA-2015-1177.html
- https://github.com/apache/ws-wss4j/commit/970b3e3756e2c75bf2379ce198365e1a7168c3c3
- https://github.com/apache/ws-wss4j/commit/de5104b30ddde5fe7388ad57e1c5ace5c5509924
- https://svn.apache.org/viewvc?view=revision&revision=1621329
- https://github.com/advisories/GHSA-vjwc-5hfh-2vv5
Blast Radius: 23.4
Affected Packages
maven:org.apache.wss4j:wss4j-ws-security-dom
Dependent packages: 89Dependent repositories: 241
Downloads:
Affected Version Ranges: >= 2.0.0, < 2.02
Fixed in: 2.02
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12
All unaffected versions: 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 3.0.0, 3.0.1, 3.0.2, 3.0.3
maven:org.apache.ws.security:wss4j
Dependent packages: 122Dependent repositories: 1,332
Downloads:
Affected Version Ranges: < 1.6.17
Fixed in: 1.6.17
All affected versions: 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 1.6.14, 1.6.15, 1.6.16
All unaffected versions: 1.6.17, 1.6.18, 1.6.19