GHSA-5hhf-xmfx-4vvrHighCVSS 8.1

epa4all-client: TLS Certificate Validation Disabled in Production

Published
May 15, 2026
Last Modified
May 15, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

An attacker on the network path between the ePA service and the Konnektor can present any TLS certificate (self-signed, expired, wrong CN) and intercept all SOAP traffic. This includes patient identifiers (KVNR), SMC-B card operations (authentication, signing), document content, and credential exchanges.

Patches

#36

Workarounds

Use the library directly instead of the REST wrapper.

Resources

  • MS-OVIVA-EPA4ALL-771a78

Credits

Machine Spirits ([email protected])

  • Dr. rer. nat. Simon Weber
  • Dipl.-Inf. Volker Schönefeld
  • Chiara Fliegner

🎯 Affected products1

  • maven/com.oviva.telematik:epa4all-client:< 1.2.2

🔗 References (5)