Vulnerability Description
message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kay Framework Project | Kay Framework | <= 1.0.1 |
| Openid | Openid4Java | <= 0.9.5.593 |
| Redhat | Jboss Enterprise Application Platform | 5.1.0 |
Related Weaknesses (CWE)
References
- http://openid.net/2011/05/05/attribute-exchange-security-alert/PatchVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2012-0441.html
- http://rhn.redhat.com/errata/RHSA-2012-0519.html
- http://secunia.com/advisories/44496Vendor Advisory
- http://secunia.com/advisories/48697
- http://secunia.com/advisories/48954
- http://securitytracker.com/id?1026400
- http://www.openwall.com/lists/oss-security/2011/11/16/1
- http://www.openwall.com/lists/oss-security/2011/11/17/1
- http://www.redhat.com/support/errata/RHSA-2011-1804.html
- https://issues.jboss.org/browse/JBEPP-1368
- https://issues.jboss.org/browse/SOA-3597
- http://openid.net/2011/05/05/attribute-exchange-security-alert/PatchVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2012-0441.html
- http://rhn.redhat.com/errata/RHSA-2012-0519.html
FAQ
What is CVE-2011-4314?
CVE-2011-4314 is a vulnerability with a CVSS score of 5.8 (MEDIUM). message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not ...
How severe is CVE-2011-4314?
CVE-2011-4314 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2011-4314?
Check the references section above for vendor advisories and patch information. Affected products include: Kay Framework Project Kay Framework, Openid Openid4Java, Redhat Jboss Enterprise Application Platform.