CVE-2011-4314
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2011-4314
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2011-4314.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2011-4314
- Related
- Published
- 2012-01-27T15:55:04Z
- Modified
- 2024-09-18T01:00:20Z
- Summary
- [none]
- Details
-
message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.
- References
-
- http://openid.net/2011/05/05/attribute-exchange-security-alert/
- http://rhn.redhat.com/errata/RHSA-2012-0441.html
- http://rhn.redhat.com/errata/RHSA-2012-0519.html
- http://secunia.com/advisories/44496
- http://secunia.com/advisories/48697
- http://secunia.com/advisories/48954
- http://securitytracker.com/id?1026400
- http://www.openwall.com/lists/oss-security/2011/11/16/1
- http://www.openwall.com/lists/oss-security/2011/11/17/1
- http://www.redhat.com/support/errata/RHSA-2011-1804.html
- https://issues.jboss.org/browse/JBEPP-1368
- https://issues.jboss.org/browse/SOA-3597
- https://security-tracker.debian.org/tracker/CVE-2011-4314
Affected packages
Debian:11 / openid4java
Package
- Name
- openid4java
- Purl
- pkg:deb/debian/openid4java?arch=source
Debian:12 / openid4java
Package
- Name
- openid4java
- Purl
- pkg:deb/debian/openid4java?arch=source
Debian:13 / openid4java
Package
- Name
- openid4java
- Purl
- pkg:deb/debian/openid4java?arch=source