CVE-2014-3623 Information
Description
Apache WSS4J before 1.6.17 and 2.x before 2.0.2 as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2 when using TransportBinding does not properly enforce the SAML SubjectConfirmation method security semantics which allows remote attackers to conduct spoofing attacks via unspecified vectors.
Reference
http://rhn.redhat.com/errata/RHSA-2015-0236.html http://rhn.redhat.com/errata/RHSA-2015-0675.html http://rhn.redhat.com/errata/RHSA-2015-0850.html http://rhn.redhat.com/errata/RHSA-2015-0851.html http://seclists.org/oss-sec/2014/q4/437 http://secunia.com/advisories/61909 http://www.securityfocus.com/bid/70736 https://exchange.xforce.ibmcloud.com/vulnerabilities/97754 https://issues.apache.org/jira/browse/WSS-511 https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@3Ccommits.cxf.apache.org3E https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@3Ccommits.cxf.apache.org3E https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@3Ccommits.cxf.apache.org3E https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@3Ccommits.cxf.apache.org3E
Share on: