Apache Axis2 allows remote malicious users to forge messages and bypass authentication via an "XML Signature wrapping attack."
apache axis2 -