Vulnerability Description
Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Wss4J | <= 1.6.16 |
Related Weaknesses (CWE)
References
- http://rhn.redhat.com/errata/RHSA-2015-0846.html
- http://rhn.redhat.com/errata/RHSA-2015-0847.html
- http://rhn.redhat.com/errata/RHSA-2015-0848.html
- http://rhn.redhat.com/errata/RHSA-2015-0849.html
- http://rhn.redhat.com/errata/RHSA-2015-1176.html
- http://rhn.redhat.com/errata/RHSA-2015-1177.html
- http://www.securityfocus.com/bid/72553Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2016:1376
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpe
- https://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.ascIssue TrackingVendor Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- http://rhn.redhat.com/errata/RHSA-2015-0846.html
- http://rhn.redhat.com/errata/RHSA-2015-0847.html
- http://rhn.redhat.com/errata/RHSA-2015-0848.html
- http://rhn.redhat.com/errata/RHSA-2015-0849.html
FAQ
What is CVE-2015-0226?
CVE-2015-0226 is a vulnerability with a CVSS score of 7.5 (HIGH). Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to...
How severe is CVE-2015-0226?
CVE-2015-0226 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-0226?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Wss4J.