GHSA-99v3-9x35-c5vf

Suggest an improvement
Source
https://github.com/advisories/GHSA-99v3-9x35-c5vf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-99v3-9x35-c5vf/GHSA-99v3-9x35-c5vf.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-99v3-9x35-c5vf
Aliases
  • CVE-2014-3623
Published
2022-05-13T01:09:20Z
Modified
2024-12-03T06:04:49.279674Z
Summary
Improper Authentication in Apache WSS4J
Details

Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

Database specific
{
    "nvd_published_at": "2014-10-30T14:55:00Z",
    "cwe_ids": [
        "CWE-287"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-07T22:34:04Z"
}
References

Affected packages

Maven / org.apache.ws.security:wss4j

Package

Name
org.apache.ws.security:wss4j
View open source insights on deps.dev
Purl
pkg:maven/org.apache.ws.security/wss4j

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.17

Affected versions

1.*

1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9
1.5.10
1.5.11
1.5.12
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.6.10
1.6.11
1.6.12
1.6.13
1.6.14
1.6.15
1.6.16

Maven / org.apache.wss4j:wss4j-ws-security-dom

Package

Name
org.apache.wss4j:wss4j-ws-security-dom
View open source insights on deps.dev
Purl
pkg:maven/org.apache.wss4j/wss4j-ws-security-dom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.0.2

Affected versions

2.*

2.0.0
2.0.1