The epa4all-client Java component used in the Telematik Infrastruktur contained a certificate validation flaw (CWE-295) prior to version 1.2.1. Specifically, in the SignedPublicKeysTrustValidatorImpl.isTrusted() method, the boolean return value of Signature.verify() was discarded, meaning the method did not verify if the ECDSA signature actually matched. Although the method performed certificate chain validation, OCSP checks, and signature algorithm setup, it returned true for any structurally valid signature, effectively bypassing signature verification. This vulnerability allows an attacker to potentially trust forged certificates or signatures. The vulnerability is addressed in version 1.2.1.

The vulnerability allows an attacker to bypass signature verification, potentially enabling acceptance of forged or malicious certificates. This can lead to compromise of confidentiality and integrity (as indicated by the CVSS vector: Confidentiality and Integrity impact are high, Availability is not affected). The vulnerability does not require privileges or user interaction and can be exploited remotely over a network. No known exploits in the wild have been reported.

This vulnerability is fixed in epa4all-client version 1.2.1. Users should upgrade to version 1.2.1 or later to remediate the issue. Patch status is not explicitly confirmed in the vendor advisory, but the description states the issue is fixed in 1.2.1. No additional mitigations are indicated.