CVE-2011-4314
Summary
| CVE | CVE-2011-4314 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2012-01-27 15:55:04 UTC |
| Updated | 2026-04-29 01:13:23 UTC |
| Description | message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack. |
Risk And Classification
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
NoneIntegrity
PartialAvailability
PartialAV:N/AC:M/Au:N/C:N/I:P/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Kay Framework Project | Kay Framework | 0.0.0 | - | All | All |
| Application | Kay Framework Project | Kay Framework | 0.1.0 | All | All | All |
| Application | Kay Framework Project | Kay Framework | 0.2.0 | All | All | All |
| Application | Kay Framework Project | Kay Framework | 0.3.0 | All | All | All |
| Application | Kay Framework Project | Kay Framework | 0.8.0 | All | All | All |
| Application | Kay Framework Project | Kay Framework | 1.0.0 | All | All | All |
| Application | Kay Framework Project | Kay Framework | All | All | All | All |
| Application | Openid | Openid4java | 0.9.2 | All | All | All |
| Application | Openid | Openid4java | 0.9.3 | All | All | All |
| Application | Openid | Openid4java | 0.9.4.339 | All | All | All |
| Application | Openid | Openid4java | All | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 5.1.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 5.1.1 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 5.1.2 | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SOA-3597] Upgrade openid4java to resolve CVE-2011-4314 - Red Hat Issue Tracker | af854a3a-2127-422b-91ae-364da2661108 | issues.jboss.org | |
| oss-security - CVE Request: openid4java not properly verifying the signature of Attribute Exchange (AX) information | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| JBoss OpenID4Java Signature Validation Flaw Lets Remote Users Modify Data - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | securitytracker.com | |
| Security Advisory SA48954 - Red Hat update for JBoss Enterprise Portal Platform - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Support | af854a3a-2127-422b-91ae-364da2661108 | www.redhat.com | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| Attribute Exchange Security Alert | OpenID | af854a3a-2127-422b-91ae-364da2661108 | openid.net | Patch, Vendor Advisory |
| [JBEPP-1368] Upgrade openid4java to resolve CVE-2011-4314 - Red Hat Issue Tracker | af854a3a-2127-422b-91ae-364da2661108 | issues.jboss.org | |
| Security Advisory SA48697 - Red Hat update for JBoss Enterprise BRMS Platform - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| oss-security - Re: CVE Request: openid4java not properly verifying the signature of Attribute Exchange (AX) information | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| OpenID4Java Attribute Exchange Signatures Security Issue - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.