CVE-2014-3623 – org.apache.wss4j:wss4j-ws-security-dom

Package

Manager: maven
Name: org.apache.wss4j:wss4j-ws-security-dom
Vulnerable Version: >=2.0.0 <2.0.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01604 pctl0.81025

Details

Improper Authentication in Apache WSS4J Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

Metadata

Created: 2022-05-13T01:09:20Z
Modified: 2022-07-07T22:34:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-99v3-9x35-c5vf/GHSA-99v3-9x35-c5vf.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-99v3-9x35-c5vf
Finding: F039
Auto approve: 1