{"api_version":"1","generated_at":"2026-07-03T07:03:52+00:00","cve":"CVE-2011-4314","urls":{"html":"https://cve.report/CVE-2011-4314","api":"https://cve.report/api/cve/CVE-2011-4314.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2011-4314","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2011-4314"},"summary":{"title":"CVE-2011-4314","description":"message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.","state":"PUBLISHED","assigner":"redhat","published_at":"2012-01-27 15:55:04","updated_at":"2026-04-29 01:13:23"},"problem_types":["CWE-20","n/a"],"metrics":[{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"5.8","severity":"","vector":"AV:N/AC:M/Au:N/C:N/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:P","baseScore":5.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}}],"references":[{"url":"https://issues.jboss.org/browse/SOA-3597","name":"https://issues.jboss.org/browse/SOA-3597","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"[SOA-3597] Upgrade openid4java to resolve CVE-2011-4314 - Red Hat Issue Tracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2011/11/16/1","name":"http://www.openwall.com/lists/oss-security/2011/11/16/1","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"oss-security - CVE Request: openid4java not properly verifying the signature of Attribute Exchange (AX) information","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://securitytracker.com/id?1026400","name":"http://securitytracker.com/id?1026400","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"JBoss OpenID4Java Signature Validation Flaw Lets Remote Users Modify Data - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/48954","name":"http://secunia.com/advisories/48954","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Security Advisory SA48954 - Red Hat update for JBoss Enterprise Portal Platform - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.redhat.com/support/errata/RHSA-2011-1804.html","name":"http://www.redhat.com/support/errata/RHSA-2011-1804.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Support","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2012-0441.html","name":"http://rhn.redhat.com/errata/RHSA-2012-0441.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://openid.net/2011/05/05/attribute-exchange-security-alert/","name":"http://openid.net/2011/05/05/attribute-exchange-security-alert/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Vendor Advisory"],"title":"Attribute Exchange Security Alert | OpenID","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://issues.jboss.org/browse/JBEPP-1368","name":"https://issues.jboss.org/browse/JBEPP-1368","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"[JBEPP-1368] Upgrade openid4java to resolve CVE-2011-4314 - Red Hat Issue Tracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/48697","name":"http://secunia.com/advisories/48697","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Security Advisory SA48697 - Red Hat update for JBoss Enterprise BRMS Platform - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2011/11/17/1","name":"http://www.openwall.com/lists/oss-security/2011/11/17/1","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"oss-security - Re: CVE Request: openid4java not properly verifying\n the signature of Attribute Exchange (AX) information","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/44496","name":"http://secunia.com/advisories/44496","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"],"title":"OpenID4Java Attribute Exchange Signatures Security Issue - Secunia.com","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2012-0519.html","name":"http://rhn.redhat.com/errata/RHSA-2012-0519.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2011-4314","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-4314","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2011","cve_id":"4314","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"kay_framework_project","cpe5":"kay_framework","cpe6":"0.0.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"4314","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"kay_framework_project","cpe5":"kay_framework","cpe6":"0.1.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"4314","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"kay_framework_project","cpe5":"kay_framework","cpe6":"0.2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"4314","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"kay_framework_project","cpe5":"kay_framework","cpe6":"0.3.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"4314","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"kay_framework_project","cpe5":"kay_framework","cpe6":"0.8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"4314","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"kay_framework_project","cpe5":"kay_framework","cpe6":"1.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"4314","vulnerable":"1","versionEndIncluding":"1.0.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"kay_framework_project","cpe5":"kay_framework","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"4314","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openid","cpe5":"openid4java","cpe6":"0.9.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"4314","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openid","cpe5":"openid4java","cpe6":"0.9.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"4314","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openid","cpe5":"openid4java","cpe6":"0.9.4.339","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"4314","vulnerable":"1","versionEndIncluding":"0.9.5.593","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openid","cpe5":"openid4java","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"4314","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_enterprise_application_platform","cpe6":"5.1.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"4314","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_enterprise_application_platform","cpe6":"5.1.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2011","cve_id":"4314","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_enterprise_application_platform","cpe6":"5.1.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-07T00:01:51.595Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"name":"RHSA-2011:1804","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"http://www.redhat.com/support/errata/RHSA-2011-1804.html"},{"name":"44496","tags":["third-party-advisory","x_refsource_SECUNIA","x_transferred"],"url":"http://secunia.com/advisories/44496"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://openid.net/2011/05/05/attribute-exchange-security-alert/"},{"name":"RHSA-2012:0519","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"http://rhn.redhat.com/errata/RHSA-2012-0519.html"},{"name":"48954","tags":["third-party-advisory","x_refsource_SECUNIA","x_transferred"],"url":"http://secunia.com/advisories/48954"},{"name":"RHSA-2012:0441","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"http://rhn.redhat.com/errata/RHSA-2012-0441.html"},{"name":"[oss-security] 20111116 CVE Request: openid4java not properly verifying the signature of Attribute Exchange (AX) information","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2011/11/16/1"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://issues.jboss.org/browse/SOA-3597"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://issues.jboss.org/browse/JBEPP-1368"},{"name":"1026400","tags":["vdb-entry","x_refsource_SECTRACK","x_transferred"],"url":"http://securitytracker.com/id?1026400"},{"name":"[oss-security] 20111116 Re: CVE Request: openid4java not properly verifying the signature of Attribute Exchange (AX) information","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2011/11/17/1"},{"name":"48697","tags":["third-party-advisory","x_refsource_SECUNIA","x_transferred"],"url":"http://secunia.com/advisories/48697"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2011-11-16T00:00:00.000Z","descriptions":[{"lang":"en","value":"message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2012-11-27T10:00:00.000Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"references":[{"name":"RHSA-2011:1804","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"http://www.redhat.com/support/errata/RHSA-2011-1804.html"},{"name":"44496","tags":["third-party-advisory","x_refsource_SECUNIA"],"url":"http://secunia.com/advisories/44496"},{"tags":["x_refsource_CONFIRM"],"url":"http://openid.net/2011/05/05/attribute-exchange-security-alert/"},{"name":"RHSA-2012:0519","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"http://rhn.redhat.com/errata/RHSA-2012-0519.html"},{"name":"48954","tags":["third-party-advisory","x_refsource_SECUNIA"],"url":"http://secunia.com/advisories/48954"},{"name":"RHSA-2012:0441","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"http://rhn.redhat.com/errata/RHSA-2012-0441.html"},{"name":"[oss-security] 20111116 CVE Request: openid4java not properly verifying the signature of Attribute Exchange (AX) information","tags":["mailing-list","x_refsource_MLIST"],"url":"http://www.openwall.com/lists/oss-security/2011/11/16/1"},{"tags":["x_refsource_CONFIRM"],"url":"https://issues.jboss.org/browse/SOA-3597"},{"tags":["x_refsource_CONFIRM"],"url":"https://issues.jboss.org/browse/JBEPP-1368"},{"name":"1026400","tags":["vdb-entry","x_refsource_SECTRACK"],"url":"http://securitytracker.com/id?1026400"},{"name":"[oss-security] 20111116 Re: CVE Request: openid4java not properly verifying the signature of Attribute Exchange (AX) information","tags":["mailing-list","x_refsource_MLIST"],"url":"http://www.openwall.com/lists/oss-security/2011/11/17/1"},{"name":"48697","tags":["third-party-advisory","x_refsource_SECUNIA"],"url":"http://secunia.com/advisories/48697"}]}},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2011-4314","datePublished":"2012-01-27T15:00:00.000Z","dateReserved":"2011-11-04T00:00:00.000Z","dateUpdated":"2024-08-07T00:01:51.595Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2012-01-27 15:55:04","lastModifiedDate":"2026-04-29 01:13:23","problem_types":["CWE-20","n/a"],"metrics":{"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:P","baseScore":5.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:kay_framework_project:kay_framework:*:*:*:*:*:*:*:*","versionEndIncluding":"1.0.1","matchCriteriaId":"C34585EE-6B3D-4BAA-A48B-355751340745"},{"vulnerable":true,"criteria":"cpe:2.3:a:kay_framework_project:kay_framework:0.0.0:-:*:*:*:*:*:*","matchCriteriaId":"497F44FA-8826-4F7D-97E3-D2AA02734A05"},{"vulnerable":true,"criteria":"cpe:2.3:a:kay_framework_project:kay_framework:0.1.0:*:*:*:*:*:*:*","matchCriteriaId":"D0CB7EFD-538C-4573-9C5E-51CE3EFE4942"},{"vulnerable":true,"criteria":"cpe:2.3:a:kay_framework_project:kay_framework:0.2.0:*:*:*:*:*:*:*","matchCriteriaId":"DFD65FAE-117F-4836-8F18-0993FC7273E8"},{"vulnerable":true,"criteria":"cpe:2.3:a:kay_framework_project:kay_framework:0.3.0:*:*:*:*:*:*:*","matchCriteriaId":"395C136F-0B5D-46E1-BF57-2D71677282BB"},{"vulnerable":true,"criteria":"cpe:2.3:a:kay_framework_project:kay_framework:0.8.0:*:*:*:*:*:*:*","matchCriteriaId":"3AE498E3-51AB-4E12-BD4C-D1FF6729E238"},{"vulnerable":true,"criteria":"cpe:2.3:a:kay_framework_project:kay_framework:1.0.0:*:*:*:*:*:*:*","matchCriteriaId":"AC6154A9-F506-47B3-94B8-ACA20BCB4C86"},{"vulnerable":true,"criteria":"cpe:2.3:a:openid:openid4java:*:*:*:*:*:*:*:*","versionEndIncluding":"0.9.5.593","matchCriteriaId":"E9618CEF-6F14-469A-A27E-5FEDDC0B939A"},{"vulnerable":true,"criteria":"cpe:2.3:a:openid:openid4java:0.9.2:*:*:*:*:*:*:*","matchCriteriaId":"434CDA90-8E27-45AC-8235-91E1FAACA016"},{"vulnerable":true,"criteria":"cpe:2.3:a:openid:openid4java:0.9.3:*:*:*:*:*:*:*","matchCriteriaId":"D0D0288B-293C-4DAF-A2F0-A8CDA9B5FD3A"},{"vulnerable":true,"criteria":"cpe:2.3:a:openid:openid4java:0.9.4.339:*:*:*:*:*:*:*","matchCriteriaId":"F9EC5D95-9C93-4B71-8C90-1451FB863DA7"},{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.0:*:*:*:*:*:*:*","matchCriteriaId":"972C5C87-E982-44A5-866D-FDEACB5203B8"},{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.1:*:*:*:*:*:*:*","matchCriteriaId":"C13890AE-5FDE-4698-8A2E-1B2FA0A313AF"},{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.2:*:*:*:*:*:*:*","matchCriteriaId":"8A785F07-9B76-4153-B676-29C9682B2F73"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2011","CveId":"4314","Ordinal":"1","Title":"CVE-2011-4314","CVE":"CVE-2011-4314","Year":"2011"},"notes":[{"CveYear":"2011","CveId":"4314","Ordinal":"1","NoteData":"message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.","Type":"Description","Title":"CVE-2011-4314"},{"CveYear":"2011","CveId":"4314","Ordinal":"2","NoteData":"2012-01-27","Type":"Other","Title":"Published"},{"CveYear":"2011","CveId":"4314","Ordinal":"3","NoteData":"2012-11-27","Type":"Other","Title":"Modified"}]}}}