Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to wrapping attacks.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Wss4j | Apache | * | 1.6.16 (including) |
Wss4j | Apache | 2.0.0 (including) | 2.0.0 (including) |
Wss4j | Apache | 2.0.0-rc1 (including) | 2.0.0-rc1 (including) |
Wss4j | Apache | 2.0.1 (including) | 2.0.1 (including) |