Moderate severityNVD Advisory· Published Oct 30, 2014· Updated May 6, 2026

CVE-2014-3623

Description

Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.ws.security:wss4jMaven	< 1.6.17	1.6.17
org.apache.wss4j:wss4j-ws-security-domMaven	>= 2.0.0, < 2.0.2	2.0.2

Affected products

Apache/Cxf
cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*
Range: >=2.7.0,<=2.7.13
Apache/Wss4j
cpe:2.3:a:apache:wss4j:*:*:*:*:*:*:*:*
Range: <1.6.17

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

rhn.redhat.com/errata/RHSA-2015-0236.htmlnvdThird Party AdvisoryWEB
rhn.redhat.com/errata/RHSA-2015-0675.htmlnvdThird Party AdvisoryWEB
rhn.redhat.com/errata/RHSA-2015-0850.htmlnvdThird Party AdvisoryWEB
rhn.redhat.com/errata/RHSA-2015-0851.htmlnvdThird Party AdvisoryWEB
seclists.org/oss-sec/2014/q4/437nvdMailing ListThird Party AdvisoryWEB
secunia.com/advisories/61909nvdThird Party Advisory
www.securityfocus.com/bid/70736nvdThird Party AdvisoryVDB Entry
github.com/advisories/GHSA-99v3-9x35-c5vfghsaADVISORY
issues.apache.org/jira/browse/WSS-511nvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2014-3623ghsaADVISORY
exchange.xforce.ibmcloud.com/vulnerabilities/97754nvdVDB EntryWEB
lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3EghsaWEB
lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3EghsaWEB
lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3EghsaWEB
lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3EghsaWEB
lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3EghsaWEB
lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3EghsaWEB
lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3Envd
lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3Envd
lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3Envd
lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3Envd
lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3Envd
lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3Envd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000