Описание
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.
Ссылки
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Mailing ListThird Party Advisory
- Third Party Advisory
- Third Party AdvisoryVDB Entry
- VDB Entry
- Vendor Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Mailing ListThird Party Advisory
Уязвимые конфигурации
Одно из
Одно из
EPSS
5 Medium
CVSS2
Дефекты
Связанные уязвимости
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.
Уязвимость программного средства Apache WSS4J, связанная с недостатками процедуры аутентификации, позволяющая нарушителю обойти процесс аутентификации
EPSS
5 Medium
CVSS2