Description

Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.

Remediation

References

https://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc

http://www.securityfocus.com/bid/72553

https://access.redhat.com/errata/RHSA-2016:1376

http://rhn.redhat.com/errata/RHSA-2015-1177.html

http://rhn.redhat.com/errata/RHSA-2015-1176.html

http://rhn.redhat.com/errata/RHSA-2015-0849.html

http://rhn.redhat.com/errata/RHSA-2015-0848.html

http://rhn.redhat.com/errata/RHSA-2015-0847.html

http://rhn.redhat.com/errata/RHSA-2015-0846.html

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03900en_us

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Related Vulnerabilities

CVE-2018-3734 Vulnerability in npm package stattic

CVE-2020-4077 Vulnerability in npm package electron

CVE-2022-39225 Vulnerability in npm package parse-server

CVE-2021-36737 Vulnerability in maven package org.apache.portals.pluto.demo:v3-demo-portlet

CVE-2022-21653 Vulnerability in maven package org.typelevel:jawn-parser_3

Severity

High

Classification

CWE-327 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Issue Tracking Vendor Advisory Third Party Advisory VDB Entry