message/ax/AxMessage.java in OpenID4Java prior to 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 prior to 5.1.2, Step2, Kay Framework prior to 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote malicious users to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
redhat jboss enterprise application platform 5.1.0 |
||
redhat jboss enterprise application platform 5.1.1 |
||
kay framework project kay framework 0.1.0 |
||
kay framework project kay framework 0.0.0 |
||
openid openid4java 0.9.3 |
||
openid openid4java 0.9.2 |
||
kay framework project kay framework 0.3.0 |
||
kay framework project kay framework 0.2.0 |
||
redhat jboss enterprise application platform 5.1.2 |
||
kay framework project kay framework |
||
openid openid4java |
||
openid openid4java 0.9.4.339 |
||
kay framework project kay framework 1.0.0 |
||
kay framework project kay framework 0.8.0 |