CVE-2011-4314 — Improper Input Validation in Framework Project KAY Framework

CWE-20 — Improper Input Validation CWE-345 — Insufficient Verification of Data Authenticity8 documents7 sources

Severity

5.8MEDIUMNVD

EPSS

0.6%

top 31.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openid Openid4java KAY Framework Project KAY Framework Redhat Jboss Enterprise Application Platform

Timeline

PublishedJan 27

Latest updateMay 17

Description

message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.

CVSS vector

AV:N/AC:M/C:N/I:P/A:PExploitability: 8.6 | Impact: 4.9

Affected Packages4 packages

▶NVDredhat/jboss_enterprise_application_platform5.1.0, 5.1.1, 5.1.2+2

▶Debianopenid/openid4java< 0.9.6.662-1+3

▶NVDopenid/openid4java0.9.5.593+3

▶NVDkay_framework_project/kay_framework1.0.1+6

Patches

Patch: openid.net ↗Patch: openid.net ↗

🔴Vulnerability Details

GHSA

OpenID4Java does not verify that Attribute Exchange (AX) information is signed↗2022-05-17

▶

OSV

OpenID4Java does not verify that Attribute Exchange (AX) information is signed↗2022-05-17

▶

OSV

CVE-2011-4314: message/ax/AxMessage↗2012-01-27

▶

CVEList

CVE-2011-4314: message/ax/AxMessage↗2012-01-27

▶

📋Vendor Advisories

Red Hat

extension): MITM due to improper validation of AX attribute signatures↗2011-05-05

▶

Debian

CVE-2011-4314: openid4java - message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss En...↗2011

▶

💬Community

Bugzilla

CVE-2011-4314 openid4java (AX extension): MITM due to improper validation of AX attribute signatures↗2011-11-16

▶