Lucene search

PRIOn knowledge basePRION:CVE-2014-3623

HistoryOct 30, 2014 - 2:55 p.m.

Design/Logic Flaw

2014-10-3014:55:00

PRIOn knowledge base

www.prio-n.com

7 High

AI Score

Confidence

Low

0.004 Low

EPSS

Percentile

73.9%

JSON

Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

CPENameOperatorVersion
cxfge3.0.0
cxflt3.0.2
cxfge2.7.0
cxfle2.7.13
wss4jlt1.6.17
wss4jge2.0.0
wss4jlt2.0.2

Name	Operator	Version
cxf	ge	3.0.0
cxf	lt	3.0.2
cxf	ge	2.7.0
cxf	le	2.7.13
wss4j	lt	1.6.17
wss4j	ge	2.0.0
wss4j	lt	2.0.2

References

rhn.redhat.com/errata/RHSA-2015-0236.html

rhn.redhat.com/errata/RHSA-2015-0675.html

rhn.redhat.com/errata/RHSA-2015-0850.html

rhn.redhat.com/errata/RHSA-2015-0851.html

seclists.org/oss-sec/2014/q4/437

secunia.com/advisories/61909

www.securityfocus.com/bid/70736

exchange.xforce.ibmcloud.com/vulnerabilities/97754

issues.apache.org/jira/browse/WSS-511

lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E