CVE-2015-0226

CWE-327 — Broken Cryptographic Algorithm9 documents7 sources

Severity

7.5HIGH

EPSS

5.2%

top 10.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Wss4j

Timeline

PublishedOct 30

Latest updateMay 14

Description

Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶Mavenorg.apache.ws.security:wss4j< 1.6.17

▶Mavenorg.apache.wss4j:wss4j-ws-security-dom2.0.0 — 2.0.2

▶NVDapache/wss4j1.6.16+3

▶Debianwss4j< 1.6.15-2+3

🔴Vulnerability Details

GHSA

Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J↗2022-05-14

▶

OSV

Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J↗2022-05-14

▶

OSV

CVE-2015-0226: Apache WSS4J before 1↗2017-10-30

▶

CVEList

CVE-2015-0226: Apache WSS4J before 1↗2017-10-30

▶

📋Vendor Advisories

Red Hat

wss4j: Apache WSS4J is vulnerable to Bleichenbacher's attack (incomplete fix for CVE-2011-2487)↗2015-02-10

▶

Debian

CVE-2015-0226: wss4j - Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information a...↗2015

▶

💬Community

Bugzilla

CVE-2015-0226 wss4j: Apache WSS4J is vulnerable to Bleichenbacher's attack (incomplete fix for CVE-2011-2487)↗2015-02-11

▶

Bugzilla

CVE-2015-0227 CVE-2015-0226 wss4j: various flaws [fedora-all]↗2015-02-11

▶