Apache WSS4J prior to 1.6.17 and 2.x prior to 2.0.2, as used in Apache CXF 2.7.x prior to 2.7.13 and 3.0.x prior to 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote malicious users to conduct spoofing attacks via unspecified vectors.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache wss4j |
||
apache cxf |