CVE-2014-3623
Apache WSS4J < 1.6.17 and 2.x < 2.0.2 - Improper Authentication via SAML SubjectConfirmation Method
Title source: llmDescription
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.
References (15)
Core 15
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/70736
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0675.html
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://seclists.org/oss-sec/2014/q4/437
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0850.html
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/61909
Vendor Advisory x_refsource_confirm
https://issues.apache.org/jira/browse/WSS-511
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0851.html
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0236.html
VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/97754
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
Scores
EPSS
0.0249
EPSS Percentile
85.5%
Details
CWE
CWE-287
Status
published
Products (4)
apache/cxf
2.7.0 - 2.7.13
apache/wss4j
< 1.6.17
org.apache.ws.security/wss4j
0 - 1.6.17Maven
org.apache.wss4j/wss4j-ws-security-dom
2.0.0 - 2.0.2Maven
Published
Oct 30, 2014
Tracked Since
Feb 18, 2026