Volerion logoVolerion
Volerion logoVolerion

oviva epa4all-client Man-in-the-Middle Vulnerability Leading to Improper Verification of Cryptographic Signature

Vulnerability

A vulnerability exists in the oviva epa4all-client Java library, specifically in versions prior to 1.2.2. This issue allows an attacker to perform a man-in-the-middle (MITM) attack on the TLS connection between the client and the identity provider (IDP) within the Telematik Infrastruktur network. The attacker can substitute a forged discovery document that redirects certain URIs to attacker-controlled URLs. Consequently, the client encrypts a signed challenge response with the attacker's encryption key and sends it to the attacker's authentication endpoint, capturing the signed authentication material.

Impact

Exploitation of this vulnerability allows for improper verification of cryptographic signatures, as the client inadvertently encrypts and transmits sensitive authentication data to an attacker-controlled location.

Remediation

Users can upgrade to version 1.2.2 or later to address this vulnerability.

Added: May 26, 2026, 9:41 PM
Updated: May 26, 2026, 9:41 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
2.5
exploitability
5.2
remediation
0.0
relevance
9.6
threat
3.2
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.