CVE-2014-3623
published 2014-10-30CVE-2014-3623: Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not…
medium5CVSS 3.1
AVNACLAuNCNIPAN
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | cxf | 2.7.0 – 2.7.13 | — |
| apache | cxf | >= 3.0.0 < 3.0.2 | 3.0.2 |
| apache | wss4j | < 1.6.17 | 1.6.17 |
| apache | wss4j | >= 2.0.0 < 2.0.2 | 2.0.2 |