GHSA-5hhf-xmfx-4vvr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5hhf-xmfx-4vvr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-5hhf-xmfx-4vvr/GHSA-5hhf-xmfx-4vvr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5hhf-xmfx-4vvr
- Aliases
-
- CVE-2026-45574
- Published
- 2026-05-15T18:29:31Z
- Modified
- 2026-05-15T18:49:20.517621Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- epa4all-client: TLS Certificate Validation Disabled in Production
- Details
-
Impact
An attacker on the network path between the ePA service and the Konnektor can present any TLS certificate (self-signed, expired, wrong CN) and intercept all SOAP traffic. This includes patient identifiers (KVNR), SMC-B card operations (authentication, signing), document content, and credential exchanges.
Patches
Workarounds
Use the library directly instead of the REST wrapper.
Resources
- MS-OVIVA-EPA4ALL-771a78
Credits
Machine Spirits (contact@machinespirits.de)
- Dr. rer. nat. Simon Weber
- Dipl.-Inf. Volker Schönefeld
- Chiara Fliegner
- Database specific
{ "github_reviewed": true, "severity": "HIGH", "github_reviewed_at": "2026-05-15T18:29:31Z", "nvd_published_at": null, "cwe_ids": [ "CWE-295" ] }- References
-
- https://github.com/oviva-ag/epa4all-client/security/advisories/GHSA-5hhf-xmfx-4vvr
- https://github.com/oviva-ag/epa4all-client/pull/36
- https://github.com/oviva-ag/epa4all-client/commit/9111d6fbb939007036a7f74b2a93bb278cb5af32
- https://github.com/oviva-ag/epa4all-client
- https://github.com/oviva-ag/epa4all-client/releases/tag/v1.2.2
Affected packages
Maven / com.oviva.telematik:epa4all-client
Package
- Name
- com.oviva.telematik:epa4all-client
- View open source insights on deps.dev
- Purl
- pkg:maven/com.oviva.telematik/epa4all-client
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.2.2