ALT-PU-2017-3639-1

Package update cxf in branch sisyphus

Version3.1.6-alt1_5jpp8

Published2017-11-03

Max severityMEDIUM

Severity:

Closed issues (5)

MEDIUM5.3

Уязвимость программного средства Apache WSS4J, связанная с недостатками процедуры аутентификации, позволяющая нарушителю обойти процесс аутентификации

Published: 2022-11-07

CVSS 3.xMEDIUM 5.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N

References

CVE-2014-3623

MEDIUM5.0

Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

Published: 2014-10-30Modified: 2025-04-12

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N

References

MEDIUM4.0

The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack."

Published: 2015-11-18Modified: 2025-04-12

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N

References

GHSA-3336-h95j-hvvf

NONE

Improper Access Control in Apache CXF

Published: 2022-05-13Modified: 2023-12-22

References

GHSA-99v3-9x35-c5vf

NONE

Improper Authentication in Apache WSS4J

Published: 2022-05-13Modified: 2022-07-08

References