CVE-2011-4314

OpenID4Java <0.9.6 - Info Disclosure

Title source: llm
STIX 2.1

Description

message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.

References (12)

Core 12
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2011-1804.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/44496
Patch, Vendor Advisory x_refsource_confirm
http://openid.net/2011/05/05/attribute-exchange-security-alert/
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-0519.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/48954
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-0441.html
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2011/11/16/1
Various Sources x_refsource_confirm
https://issues.jboss.org/browse/SOA-3597
Various Sources x_refsource_confirm
https://issues.jboss.org/browse/JBEPP-1368
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1026400
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2011/11/17/1
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/48697

Scores

EPSS 0.0320
EPSS Percentile 86.6%

Details

CWE
CWE-20
Status published
Products (15)
kay_framework_project/kay_framework 0.0.0
kay_framework_project/kay_framework 0.1.0
kay_framework_project/kay_framework 0.2.0
kay_framework_project/kay_framework 0.3.0
kay_framework_project/kay_framework 0.8.0
kay_framework_project/kay_framework 1.0.0
kay_framework_project/kay_framework < 1.0.1
openid/openid4java 0.9.2
openid/openid4java 0.9.3
openid/openid4java 0.9.4.339
... and 5 more
Published Jan 27, 2012
Tracked Since Feb 18, 2026