CVE-2015-0227

Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."

Published Bysecalert@redhat.com

Published DateFeb 12, 2015, 16:59

Affected Versions(2)

org.apache.ws.security:wss4j(Maven)

Introduced0

Fixed1.6.17

LimitN/A

org.apache.ws.security:wss4j(Maven)

Introduced2.0.0

Fixed2.02

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.ws.security:wss4j(Maven)	0	1.6.17	N/A
org.apache.ws.security:wss4j(Maven)	2.0.0	2.02	N/A

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:N/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

NONE

References

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:N/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

NONE