Lucene search
K
ApacheWss4j

5 matches found

CVE
CVE
added 2021/03/10 8:0 a.m.539 views

CVE-2020-13936

CVE-2020-13936 affects Apache Velocity, where modifying Velocity templates can bypass the sandbox and allow remote code execution with the container’s privileges. Engine versions affected include up to 2.2; IBM and related advisories flag this as a Velocity sandbox bypass leading to arbitrary cod...

9CVSS8.9AI score0.22709EPSS
CVE
CVE
added 2020/03/11 3:45 p.m.135 views

CVE-2011-2487

CVE-2011-2487 is referenced by GitHub advisory GHSA-vjwc-5HFH-2VV5, which notes that Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 leak information about decryption failures when decrypting an encrypted key or message data, making it easier to recover plaintext keys via crafted messages. The ...

5.9CVSS5.7AI score0.01756EPSS
CVE
CVE
added 2017/10/30 2:0 p.m.134 views

CVE-2015-0226

CVE-2015-0226 affects Apache WSS4J: versions pre-1.6.17 and pre-2.0.x before 2.0.2 leak information about decryption failures when decrypting an encrypted key or message data, enabling an attacker to recover plaintext for a symmetric key via crafted messages. Root cause traces to an incomplete fi...

7.5CVSS5.7AI score0.05501EPSS
CVE
CVE
added 2015/02/12 4:0 p.m.108 views

CVE-2015-0227

CVE-2015-0227 affects Apache WSS4J, allowing remote bypass of requireSignedEncryptedDataElements via XML Signature wrapping attacks. The vulnerability is described as present in WSS4J releases before 1.6.17 and in 2.x releases before 2.0.2, enabling attackers to bypass security restrictions and p...

5CVSS6.2AI score0.07543EPSS
CVE
CVE
added 2014/10/30 2:0 p.m.95 views

CVE-2014-3623

CVE-2014-3623 affects Apache WSS4J (used in Apache CXF) where, when configured with TransportBinding, it fails to properly enforce SAML SubjectConfirmation security semantics, enabling possible remote spoofing of web service endpoints. Affected versions: WSS4J before 1.6.17 and 2.x before 2.0.2 (...

5CVSS6.5AI score0.09224EPSS