CVE-2014-3623
Description
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.
Risk Information
Base Score
8.6
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C
EPSS Score
Exploitation Probability
2.49
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2015-0227,CVE-2015-0226,CVE-2014-3623 are fixed in Apache-wss4j 1.6.17 | Windows |
| Vulnerabilities CVE-2015-0226,CVE-2014-3623 are fixed in Apache-wss4j-ws-security-dom 2.0.2 | Windows |
| Vulnerabilities CVE-2015-0227,CVE-2015-0226,CVE-2014-3623 are fixed in Apache-wss4j for Linux 1.6.17 | Linux |
| Vulnerabilities CVE-2015-0226,CVE-2014-3623 are fixed in Apache-wss4j-ws-security-dom for Linux 2.0.2 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234