CVE-2014-3623

Name of the Vulnerable Software and Affected Versions Apache WSS4J versions 1.6.17 and earlier, 2.x versions prior to 2.0.2 Apache CXF versions 2.7.x prior to 2.7.13, 3.0.x prior to 3.0.2

Description The issue is related to the improper enforcement of SAML SubjectConfirmation method security semantics when using TransportBinding. This allows remote attackers to conduct spoofing attacks. The vulnerability is associated with deficiencies in the authentication procedure, which can be exploited by a remote attacker to bypass the authentication process.

Recommendations For Apache WSS4J versions 1.6.17 and earlier, update to version 1.6.17 or later. For Apache WSS4J 2.x versions prior to 2.0.2, update to version 2.0.2 or later. For Apache CXF versions 2.7.x prior to 2.7.13, update to version 2.7.13 or later. For Apache CXF versions 3.0.x prior to 3.0.2, update to version 3.0.2 or later.