CVE-2014-3623
EPSS 2.5%Improper Authentication in Apache WSS4J
發布日:2022/5/13修改日:2024/12/3
描述
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.
受影響套件(2)
- Maven/org.apache.wss4j:wss4j-ws-security-dom>= 2.0.0, < 2.0.2
- Maven/org.apache.ws.security:wss4jfrom 0, < 1.6.17
參考連結(14)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-3623
- WEBhttp://rhn.redhat.com/errata/RHSA-2015-0236.html
- WEBhttp://rhn.redhat.com/errata/RHSA-2015-0675.html
- WEBhttp://rhn.redhat.com/errata/RHSA-2015-0850.html
- WEBhttp://rhn.redhat.com/errata/RHSA-2015-0851.html
- WEBhttp://seclists.org/oss-sec/2014/q4/437
- WEBhttps://exchange.xforce.ibmcloud.com/vulnerabilities/97754
- WEBhttps://issues.apache.org/jira/browse/WSS-511
- WEBhttps://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E