GHSA-vjwc-5hfh-2vv5

Source

https://github.com/advisories/GHSA-vjwc-5hfh-2vv5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vjwc-5hfh-2vv5/GHSA-vjwc-5hfh-2vv5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vjwc-5hfh-2vv5

Aliases

CVE-2015-0226

Published

2022-05-14T00:55:57Z

Modified

2024-02-16T08:24:22.064719Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J

Details

Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.

References

Affected packages

Maven / org.apache.ws.security:wss4j

Package

Name: org.apache.ws.security:wss4j; View open source insights on deps.dev
Purl: pkg:maven/org.apache.ws.security/wss4j

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.17

Affected versions

1.*

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

1.5.9

1.5.10

1.5.11

1.5.12

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.6.10

1.6.11

1.6.12

1.6.13

1.6.14

1.6.15

1.6.16

Maven / org.apache.wss4j:wss4j-ws-security-dom

Package

Name: org.apache.wss4j:wss4j-ws-security-dom; View open source insights on deps.dev
Purl: pkg:maven/org.apache.wss4j/wss4j-ws-security-dom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.02

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.1.11

2.1.12