CVE-2011-4314

message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.

Published: Jan 27, 2012
Updated: Apr 13, 2023
CVE: CVE-2011-4314
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5.8
AV:N/AC:M/Au:N/C:N/I:P/A:P

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
openid / openid4java	-	0.9.5.593.x
kay_framework_project / kay_framework	1.0.0	1.0.0.x
redhat / jboss_enterprise_application_platform	5.1.2	5.1.2.x
openid / openid4java	0.9.2	0.9.2.x
kay_framework_project / kay_framework	0.1.0	0.1.0.x
redhat / jboss_enterprise_application_platform	5.1.1	5.1.1.x
kay_framework_project / kay_framework	-	1.0.1.x
kay_framework_project / kay_framework	0.8.0	0.8.0.x
kay_framework_project / kay_framework	0.2.0	0.2.0.x
redhat / jboss_enterprise_application_platform	5.1.0	5.1.0.x
openid / openid4java	0.9.4.339	0.9.4.339.x
openid / openid4java	0.9.3	0.9.3.x
kay_framework_project / kay_framework	-	-
kay_framework_project / kay_framework	0.3.0	0.3.0.x

Vulnerability Database

289,599

CVE-2011-4314