GHSA-99v3-9x35-c5vf

Source

https://github.com/advisories/GHSA-99v3-9x35-c5vf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-99v3-9x35-c5vf/GHSA-99v3-9x35-c5vf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-99v3-9x35-c5vf

Aliases

CVE-2014-3623

Published

2022-05-13T01:09:20Z

Modified

2024-12-03T06:00:17.054584Z

Summary

Improper Authentication in Apache WSS4J

Details

Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

Database specific

{
    "nvd_published_at": "2014-10-30T14:55:00Z",
    "cwe_ids": [
        "CWE-287"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-07T22:34:04Z"
}

References

Affected packages

Maven / org.apache.ws.security:wss4j

Package

Name: org.apache.ws.security:wss4j; View open source insights on deps.dev
Purl: pkg:maven/org.apache.ws.security/wss4j

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.17

Affected versions

1.*

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

1.5.9

1.5.10

1.5.11

1.5.12

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.6.10

1.6.11

1.6.12

1.6.13

1.6.14

1.6.15

1.6.16

Maven / org.apache.wss4j:wss4j-ws-security-dom

Package

Name: org.apache.wss4j:wss4j-ws-security-dom; View open source insights on deps.dev
Purl: pkg:maven/org.apache.wss4j/wss4j-ws-security-dom

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.0.2

Affected versions

2.*

2.0.0

2.0.1