CVE-2014-3623
Improper Authentication in Apache WSS4J
EPSS 2.5%
Description
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.
How to fix CVE-2014-3623
To remediate CVE-2014-3623, upgrade the affected package to a fixed version below.
- Maven/org.apache.wss4j:wss4j-ws-security-dom—upgrade to 2.0.2 or later
- Maven/org.apache.ws.security:wss4j—upgrade to 1.6.17 or later
Is CVE-2014-3623 being exploited?
Low — EPSS is 2.5%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 2.0.0, < 2.0.2
- from 0, < 1.6.17