Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.
Metrics
Affected Vendors & Products
References
History
No history.

Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2024-08-06T10:50:17.711Z
Reserved: 2014-05-14T00:00:00
Link: CVE-2014-3623

No data.

Status : Deferred
Published: 2014-10-30T14:55:07.833
Modified: 2025-04-12T10:46:40.837
Link: CVE-2014-3623
