CVE-2014-3623

Apache Wss4j < 1.6.17 - Authentication Bypass

Title source: rule

Description

Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

References (15)

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2015-0236.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2015-0675.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2015-0850.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2015-0851.html

[Mailing List, Third Party Advisory] http://seclists.org/oss-sec/2014/q4/437

[Third Party Advisory] http://secunia.com/advisories/61909

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/70736

[VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/97754

[Vendor Advisory] https://issues.apache.org/jira/browse/WSS-511

[Mailing List] https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

Scores

EPSS 0.0249

EPSS Percentile 85.1%

Classification

CWE

CWE-287

Status draft

Affected Products (4)

apache/wss4j < 1.6.17

apache/cxf < 2.7.13

org.apache.ws.security/wss4j < 1.6.17Maven

org.apache.wss4j/wss4j-ws-security-dom < 2.0.2Maven

Timeline

Published Oct 30, 2014

Tracked Since Feb 18, 2026