CVE-2015-0226

HIGH

Apache WSS4J < 1.6.17 and 2.0.0-2.0.1 - Information Disclosure via Decryption Failure Handling

Title source: llm
STIX 2.1

Description

Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.

References (11)

Core 11
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:1376
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0848.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0846.html
Issue Tracking, Vendor Advisory x_refsource_confirm
https://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0847.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/72553
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0849.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1176.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1177.html

Scores

CVSS v3 7.5
EPSS 0.0521
EPSS Percentile 90.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-327
Status published
Products (6)
apache/wss4j 2.0 beta
apache/wss4j 2.0.0 (2 CPE variants)
apache/wss4j 2.0.1
apache/wss4j < 1.6.16
org.apache.ws.security/wss4j 0 - 1.6.17Maven
org.apache.wss4j/wss4j-ws-security-dom 2.0.0 - 2.0.2Maven
Published Oct 30, 2017
Tracked Since Feb 18, 2026