Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2014-10-30T14:00:00

Updated: 2024-08-06T10:50:17.711Z

Reserved: 2014-05-14T00:00:00

Link: CVE-2014-3623

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2014-10-30T14:55:07.833

Modified: 2024-11-21T02:08:31.560

Link: CVE-2014-3623

cve-icon Redhat

Severity : Moderate

Publid Date: 2014-10-25T00:00:00Z

Links: CVE-2014-3623 - Bugzilla