Red Hat Security Advisory 2014-0798-01
https://packetstormsecurity.com/files/127236/RHSA-2014-0798-01.txt
https://packetstormsecurity.com/files/127236/RHSA-2014-0798-01.txthttps://packetstormsecurity.com/files/127236/Red-Hat-Security-Advisory-2014-0798-01.htmlThu, 26 Jun 2014 23:20:15 GMTRed Hat Security Advisory 2014-0798-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. Apache CXF is an open source services framework, which is a part of Red Hat JBoss Enterprise Application Platform. It was found that the SecurityTokenService, provided as a part of Apache CXF, could under certain circumstances accept invalid SAML tokens as valid. A remote attacker could use a specially crafted SAML token to gain access to an application that uses STS for validation of SAML tokens.