CVE-2014-3623

2014-10-30T14:55:00
ID CVE-2014-3623
Type cve
Reporter cve@mitre.org
Modified 2018-04-13T13:00:00

Description

Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.