| Name | CVE-2011-4314 |
| Description | message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| openid4java (PTS) | buster, bullseye | 1.0.0-1 | fixed |
| sid, trixie, bookworm | 1.0.0-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| jbossas4 | source | (unstable) | (not affected) | |||
| openid4java | source | (unstable) | 0.9.6.662-1 |
- jbossas4 <not-affected> (Only builds a few libraries, not the full application server, #581226)