CVE-2011-4314

Sažetak

message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.

Reference

http://openid.net/2011/05/05/attribute-exchange-security-alert/
http://rhn.redhat.com/errata/RHSA-2012-0441.html
http://rhn.redhat.com/errata/RHSA-2012-0519.html
http://secunia.com/advisories/44496
http://secunia.com/advisories/48697
http://secunia.com/advisories/48954
http://securitytracker.com/id?1026400
http://www.openwall.com/lists/oss-security/2011/11/16/1
http://www.openwall.com/lists/oss-security/2011/11/17/1
http://www.redhat.com/support/errata/RHSA-2011-1804.html
https://issues.jboss.org/browse/JBEPP-1368
https://issues.jboss.org/browse/SOA-3597

CVSS

Base:	5.8
Impact:	4.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:M/Au:N/C:N/I:P/A:P

Zadnje važnije ažuriranje

15-02-2013 - 04:50

Objavljeno

27-01-2012 - 15:55