CVE-2011-4314 — OpenID4Java does not verify that Attribute Exchange (AX) information is signed

Description

message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack.

How to fix CVE-2011-4314

To remediate CVE-2011-4314, upgrade the affected package to a fixed version below.

Debian/openid4java—upgrade to 0.9.6.662-1 or later
—upgrade to 0.9.6 or later

Is CVE-2011-4314 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.9.6.662-1
from 0, < 0.9.6

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-4314
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2011-4314
PATCHgithub.com/jbufu/openid4java
WEBopenid.net/2011/05/05/attribute-exchange-security-alert
WEB