CVE-2011-4314

Published: Jan 27, 2012Modified: Apr 29, 2026

5.8

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:P

Exploitability: 8.6 / Impact: 4.9

Source: NVD

Description

message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.

Affected (14)

Products: Kay Framework Project: Kay Framework · Openid: Openid4java · Redhat: Jboss Enterprise Application Platform

Kay Framework Project

1 product

1 product

1 product

Jboss Enterprise Application Platform

Configuration A

14 vulnerable

Vulnerable Software	Affected Versions
Kay Framework Project Kay Framework	Up to 1.0.1
Kay Framework Project Kay Framework	Version 0.0.0
Kay Framework Project Kay Framework	Version 0.1.0
Kay Framework Project Kay Framework	Version 0.2.0
Kay Framework Project Kay Framework	Version 0.3.0
Kay Framework Project Kay Framework	Version 0.8.0
Kay Framework Project Kay Framework	Version 1.0.0
Openid Openid4java	Up to 0.9.5.593
Openid Openid4java	Version 0.9.2
Openid Openid4java	Version 0.9.3
Openid Openid4java	Version 0.9.4.339
Redhat Jboss Enterprise Application Platform	Version 5.1.0
Redhat Jboss Enterprise Application Platform	Version 5.1.1
Redhat Jboss Enterprise Application Platform	Version 5.1.2

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (24)

http://openid.net/2011/05/05/attribute-exchange-security-alert/

Source: secalert@redhat.com

PatchVendor Advisory

http://rhn.redhat.com/errata/RHSA-2012-0441.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2012-0519.html

Source: secalert@redhat.com

http://secunia.com/advisories/44496

Source: secalert@redhat.com

Vendor Advisory

http://secunia.com/advisories/48697

Source: secalert@redhat.com

http://secunia.com/advisories/48954

Source: secalert@redhat.com

http://securitytracker.com/id?1026400

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2011/11/16/1

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2011/11/17/1

Source: secalert@redhat.com

http://www.redhat.com/support/errata/RHSA-2011-1804.html

Source: secalert@redhat.com

https://issues.jboss.org/browse/JBEPP-1368

Source: secalert@redhat.com

https://issues.jboss.org/browse/SOA-3597

Source: secalert@redhat.com

http://openid.net/2011/05/05/attribute-exchange-security-alert/

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

http://rhn.redhat.com/errata/RHSA-2012-0441.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2012-0519.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/44496

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://secunia.com/advisories/48697

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/48954

Source: af854a3a-2127-422b-91ae-364da2661108

http://securitytracker.com/id?1026400

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2011/11/16/1

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2011/11/17/1

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.redhat.com/support/errata/RHSA-2011-1804.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://issues.jboss.org/browse/JBEPP-1368

Source: af854a3a-2127-422b-91ae-364da2661108

https://issues.jboss.org/browse/SOA-3597

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.