The Apache Santuario XML Security for Java project is vulnerable to a Denial of Service (DoS) type attack leading to an OutOfMemoryError, which is caused by allowing Document Type Definitions (DTDs) when applying Transforms. From the 1.5.6 release onwards, DTDs will not be processed at all when the "secure validation" mode is enabled.
8718e8b28ba92f0c8d1021a89a00f91b0c89c346b43d6b5dba5031eb339cb16c
Apache CXF is vulnerable to SOAP Action spoofing attacks on Document Literal web services.
265093c0400de4893cfcfb8c5d295612e2d9b4b4da83727f2ebd03463249a7fa
Apache CXF does not verify that elements were signed or encrypted by a particular Supporting Token. This affects all released versions as of 06/08/2012.
c9c7fa7be43cf530477727dcae683b3b6071776b83dccb3e1ab0dc315ec3a472
Apache CXF does not pick up some child policies of WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client side. Apache CXF versions 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.0 are affected.
9192946a363a63b454cdbfe47e3d089546ef6e6058eec8ac012d7080b7e47be8
Apache CXF versions 2.4.5 and 2.5.1 fail to validate a WS-Security UsernameToken received as part of the security header of a SOAP request against a WS-SP UsernameToken policy.
b292e2def6610f71ed845303fc918ae45534205d8f616f67a68c79fe20ca97ba