This is an automated email from the ASF dual-hosted git repository. robertlazarski pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git
commit 772da3fb8f0761a7205d991af46142f9bad83bc3 Author: Robert Lazarski <[email protected]> AuthorDate: Mon Jun 1 10:17:28 2026 -1000 Remove unverified WSS4J CVE IDs from history section CVE-2015-0226, CVE-2016-2170, CVE-2018-11775 were incorrectly attributed to WSS4J. Replace with generic descriptions of the vulnerability classes WSS4J has addressed. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> --- SECURITY.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 967a490a..a38a3d1c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -162,10 +162,9 @@ as a default, and re-run all policy samples to verify no regression. Rampart has no independently assigned CVEs. Its security posture depends heavily on WSS4J and OpenSAML, which have extensive CVE histories: -- **WSS4J CVEs** include signature wrapping (CVE-2011-2487), XXE in - Kerberos tokens (CVE-2015-0226), timing attacks (CVE-2016-2170), - and security processing bypasses (CVE-2018-11775). Rampart 2.0.0 - uses WSS4J 4.0.1, which addresses these and other known issues. +- **WSS4J CVEs** include signature wrapping (CVE-2011-2487), + SOAP Action spoofing, and various XML signature bypass issues. + Rampart 2.0.0 uses WSS4J 4.0.1, which addresses all known issues. - **OpenSAML CVEs** include XXE in SAML assertion parsing and assertion replay. Rampart 2.0.0 uses OpenSAML 5.2.1.
