CVE-2015-0227

CWE-264CWE-284Improper Access ControlCWE-35810 documents8 sources
Severity
5.0MEDIUM
EPSS
13.9%
top 5.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Wss4j
Timeline
PublishedFeb 12
Latest updateMay 14

Description

Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

Mavenorg.apache.ws.security:wss4j2.0.02.02+1
NVDapache/wss4j1.6.16+2
Debianwss4j< 1.6.15-2+3

Patches

Patch: ws.apache.orgPatch: ws.apache.org

🔴Vulnerability Details

4
GHSA
Improper Access Control in Apache WSS4J2022-05-14
OSV
Improper Access Control in Apache WSS4J2022-05-14
OSV
CVE-2015-0227: Apache WSS4J before 12015-02-12
CVEList
CVE-2015-0227: Apache WSS4J before 12015-02-12

📋Vendor Advisories

3
Red Hat
wss4j: Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property2015-02-10
Debian
CVE-2015-0227: wss4j - Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypas...2015
Apache
Apache tomcat: CVE-2014-0227

💬Community

2
Bugzilla
CVE-2015-0227 wss4j: Apache WSS4J doesn't correctly enforce the requireSignedEncryptedDataElements property2015-02-11
Bugzilla
CVE-2015-0227 CVE-2015-0226 wss4j: various flaws [fedora-all]2015-02-11
CVE-2015-0227 (MEDIUM CVSS 5) | Apache WSS4J before 1.6.17 and 2.x | cvebase.io