Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.
https://issues.apache.org/jira/browse/WSS-511
https://exchange.xforce.ibmcloud.com/vulnerabilities/97754
http://www.securityfocus.com/bid/70736
http://secunia.com/advisories/61909
http://seclists.org/oss-sec/2014/q4/437
http://rhn.redhat.com/errata/RHSA-2015-0851.html
http://rhn.redhat.com/errata/RHSA-2015-0850.html