Access Restriction Bypass Affecting org.apache.ws.security:wss4j Open this link in a new tab package, versions [,1.6.17)
Do your applications use this vulnerable package?
13 Feb 2015
12 Feb 2015
Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."