CVE-2015-0226 – org.apache.ws.security:wss4j

Package

Manager: maven
Name: org.apache.ws.security:wss4j
Vulnerable Version: >=0 <1.6.17

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.04622 pctl0.88854

Details

Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.

Metadata

Created: 2022-05-14T00:55:57Z
Modified: 2025-02-19T21:13:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vjwc-5hfh-2vv5/GHSA-vjwc-5hfh-2vv5.json
CWE IDs: ["CWE-327"]
Alternative ID: GHSA-vjwc-5hfh-2vv5
Finding: F052
Auto approve: 1