Apache WSS4J Configuration Bypass Vulnerability
CVE-2015-0227

Currently unrated

Key Information:

Vendor: Apache
Status: Wss4j
Vendor: CVE Published:; 12 February 2015

Summary

Apache WSS4J versions prior to 1.6.17 and 2.x before 2.0.2 are affected by a vulnerability that allows remote attackers to bypass the requireSignedEncryptedDataElements setting. This occurs through specific vectors associated with wrapping attacks, enabling malicious actors to manipulate SOAP messages without proper security controls. Users of vulnerable versions should consider upgrading to mitigate potential risks.

References

http://rhn.redhat.com/errata/RHSA-2015-0773.html

vendor-advisoryx_refsource_REDHAT

https://exchange.xforce.ibmcloud.com/vulnerabilities/100837

vdb-entryx_refsource_XF

http://rhn.redhat.com/errata/RHSA-2015-0849.html

vendor-advisoryx_refsource_REDHAT

EPSS Score

17% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Feb 12, 2015
Vulnerability Reserved
Nov 18, 2014