Published: 27/01/2012 Updated: 15/02/2013

CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6

VMScore: 516

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P

message/ax/AxMessage.java in OpenID4Java prior to 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 prior to 5.1.2, Step2, Kay Framework prior to 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote malicious users to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.

Vulnerable Product	Search on Vulmon	Subscribe to Product
redhat jboss enterprise application platform 5.1.0
redhat jboss enterprise application platform 5.1.1
kay framework project kay framework 0.1.0
kay framework project kay framework 0.0.0
openid openid4java 0.9.3
openid openid4java 0.9.2
kay framework project kay framework 0.3.0
kay framework project kay framework 0.2.0
redhat jboss enterprise application platform 5.1.2
kay framework project kay framework
openid openid4java
openid openid4java 0.9.4.339
kay framework project kay framework 1.0.0
kay framework project kay framework 0.8.0

Synopsis Low: JBoss Enterprise Application Platform 512 update Type/Severity Security Advisory: Low Topic Updated JBoss Enterprise Application Platform 512 packages that fix twosecurity issues, various bugs, and add several enhancements are nowavailable for Red Hat Enterprise Linux 5The Red Hat Securit ...

Synopsis Low: JBoss Enterprise Application Platform 512 update Type/Severity Security Advisory: Low Topic Updated JBoss Enterprise Application Platform 512 packages that fix twosecurity issues, various bugs, and add several enhancements are nowavailable for Red Hat Enterprise Linux 6The Red Hat Securit ...

Synopsis Low: JBoss Enterprise Web Platform 512 update Type/Severity Security Advisory: Low Topic Updated JBoss Enterprise Web Platform 512 packages that fix one securityissue, various bugs, and add several enhancements are now available for RedHat Enterprise Linux 6The Red Hat Security Response Team h ...

Synopsis Low: JBoss Enterprise Web Platform 512 update Type/Severity Security Advisory: Low Topic Updated JBoss Enterprise Web Platform 512 packages that fix one securityissue, various bugs, and add several enhancements are now available for RedHat Enterprise Linux 5The Red Hat Security Response Team h ...

Red Hat Security Advisory 2011-1798-01 - JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam OpenID4Java allows you to implement OpenID authentication in your Java applications OpenID4Java is a Technology Preview This JBoss Enterprise Applica ...

CWE-20 http://securitytracker.com/id?1026400 http://www.redhat.com/support/errata/RHSA-2011-1804.html https://issues.jboss.org/browse/SOA-3597 https://issues.jboss.org/browse/JBEPP-1368 http://secunia.com/advisories/44496 http://openid.net/2011/05/05/attribute-exchange-security-alert/http://www.openwall.com/lists/oss-security/2011/11/16/1 http://www.openwall.com/lists/oss-security/2011/11/17/1 http://rhn.redhat.com/errata/RHSA-2012-0441.html http://rhn.redhat.com/errata/RHSA-2012-0519.html http://secunia.com/advisories/48697 http://secunia.com/advisories/48954 https://nvd.nist.gov https://access.redhat.com/errata/RHSA-2011:1799

CVE-2011-4314

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

References

Vulmon Search

About

Products

Connect