Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2014-3623

Опубликовано: 25 окт. 2014
Источник: redhat
CVSS2: 4.3
EPSS Низкий

Описание

Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

It was found that Apache WSS4J (Web Services Security for Java), as used by Apache CXF with the TransportBinding, did not, by default, properly enforce all security requirements associated with SAML SubjectConfirmation methods. A remote attacker could use this flaw to perform various types of spoofing attacks on web service endpoints secured by WSS4J that rely on SAML for authentication.

Отчет

Fuse ESB Enterprise 7 is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/ Red Hat JBoss SOA Platform 5 and Red Hat JBoss BRMS 5 are now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware Product Life Cycle: https://access.redhat.com/support/policy/updates/jboss_notes/

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat BPM Suite 6cxfAffected
Red Hat JBoss BRMS 5cxfWill not fix
Red Hat JBoss BRMS 6cxfAffected
Red Hat JBoss Data Virtualization 6cxfAffected
Red Hat JBoss Enterprise Application Platform 5wss4jWill not fix
Red Hat JBoss Enterprise Web Server 1fuse-6Affected
Red Hat JBoss Enterprise Web Server 1fuse-7Will not fix
Red Hat JBoss Enterprise Web Server 1othersFix deferred
Red Hat JBoss Fuse Service Works 6cxfAffected
Red Hat JBoss SOA Platform 5cxfWill not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-347
https://bugzilla.redhat.com/show_bug.cgi?id=1157304CXF: Improper security semantics enforcement of SAML SubjectConfirmation methods

EPSS

Процентиль: 85%
0.0249
Низкий

4.3 Medium

CVSS2

Связанные уязвимости

nvd логотип

CVE-2014-3623

nvd
больше 11 лет назад

Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

github логотип

GHSA-99v3-9x35-c5vf

github
больше 3 лет назад

Improper Authentication in Apache WSS4J

fstec логотип

BDU:2022-06637

CVSS3: 5.3
fstec
больше 11 лет назад

Уязвимость программного средства Apache WSS4J, связанная с недостатками процедуры аутентификации, позволяющая нарушителю обойти процесс аутентификации

EPSS

Процентиль: 85%
0.0249
Низкий

4.3 Medium

CVSS2