CVE-2014-3623

Currently unrated

Key Information:

Vendor: Apache
Status: Wss4j
Vendor: CVE Published:; 30 October 2014

Summary

Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

References

http://www.securityfocus.com/bid/70736

vdb-entryx_refsource_BID

http://rhn.redhat.com/errata/RHSA-2015-0675.html

vendor-advisoryx_refsource_REDHAT

http://seclists.org/oss-sec/2014/q4/437

mailing-listx_refsource_MLIST

Timeline

Vulnerability published
Oct 30, 2014
Vulnerability Reserved
May 14, 2014