CVE-2014-3623

CWE-287 — Improper Authentication CWE-3479 documents6 sources

Severity

5.0MEDIUM

EPSS

2.5%

top 14.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache CXF Apache Wss4j

Timeline

PublishedOct 30

Latest updateMay 13

Description

Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

▶Mavenorg.apache.ws.security:wss4j< 1.6.17

▶Mavenorg.apache.wss4j:wss4j-ws-security-dom2.0.0 — 2.0.2

▶NVDapache/wss4j2.0.0 — 2.0.2+1

▶NVDapache/cxf3.0.0 — 3.0.2+1

🔴Vulnerability Details

GHSA

Improper Authentication in Apache WSS4J↗2022-05-13

▶

OSV

Improper Authentication in Apache WSS4J↗2022-05-13

▶

CVEList

CVE-2014-3623: Apache WSS4J before 1↗2014-10-30

▶

📋Vendor Advisories

Red Hat

CXF: Improper security semantics enforcement of SAML SubjectConfirmation methods↗2014-10-25

▶

💬Community

Bugzilla

CVE-2014-3623 Apache WSS4J / Apache CXF: Improper security semantics enforcement of SAML SubjectConfirmation methods↗2014-10-27

▶

Bugzilla

CVE-2014-3623 wss4j: Apache WSS4J / Apache CXF: Improper security semantics enforcement of SAML SubjectConfirmation methods [fedora-all]↗2014-10-27

▶

Bugzilla

CVE-2014-3584 CVE-2014-3623 cxf: various flaws [fedora-all]↗2014-10-27

▶

Bugzilla

CVE-2014-3623 wildfly: various flaws [fedora-all]↗2014-10-27

▶