SAML SubjectConfirmation Method Spoofing Vulnerability in Apache WSS4J

SAML SubjectConfirmation Method Spoofing Vulnerability in Apache WSS4J

CVE-2014-3623 · MEDIUM Severity

AV:N/AC:L/AU:N/C:N/I:P/A:N

Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

Learn more about our Cis Benchmark Audit For Bind.