Description
message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.
References (12)
Core 12
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2011-1804.html
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/44496
Patch, Vendor Advisory x_refsource_confirm
http://openid.net/2011/05/05/attribute-exchange-security-alert/
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-0519.html
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/48954
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-0441.html
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2011/11/16/1
Various Sources x_refsource_confirm
https://issues.jboss.org/browse/SOA-3597
Various Sources x_refsource_confirm
https://issues.jboss.org/browse/JBEPP-1368
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://securitytracker.com/id?1026400
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2011/11/17/1
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/48697
Scores
EPSS
0.0320
EPSS Percentile
86.6%
Details
CWE
CWE-20
Status
published
Products (15)
kay_framework_project/kay_framework
0.0.0
kay_framework_project/kay_framework
0.1.0
kay_framework_project/kay_framework
0.2.0
kay_framework_project/kay_framework
0.3.0
kay_framework_project/kay_framework
0.8.0
kay_framework_project/kay_framework
1.0.0
kay_framework_project/kay_framework
< 1.0.1
openid/openid4java
0.9.2
openid/openid4java
0.9.3
openid/openid4java
0.9.4.339
... and 5 more
Published
Jan 27, 2012
Tracked Since
Feb 18, 2026