An incorrect configuration in Spring Web Services disables critical security profile enforcement, leaving applications vulnerable to accepting non-compliant message data.

The Wss4jSecurityInterceptor fails to initialize the BSP compliance flag correctly during inbound validation. This results in the system failing to enforce WS-I Basic Security Profile rules on RequestData, which could allow attackers to submit malformed or malicious SOAP messages that bypass security standards.

With a CVSS score of 8.2, this vulnerability represents a significant risk to the security posture of enterprise service integrations. By bypassing BSP enforcement, attackers may successfully inject messages that would otherwise be rejected, potentially leading to unauthorized service execution or downstream system instability.

Immediate Action: Upgrade to Spring Web Services version 5.0.2, 4.1.4, or later to restore proper security enforcement.

Proactive Monitoring: Inspect application logs for incoming SOAP requests that deviate from established security schemas or trigger validation errors.

Compensating Controls: If immediate patching is not feasible, explicitly enable BSP compliance by invoking the setBspCompliant setter method with the argument true in your application configuration.

Public Exploit Available: false

Standard security profiles are foundational to preventing message-based attacks. Organizations should prioritize updating their Spring Web Services dependencies to ensure that all inbound traffic is strictly validated against the WS-I Basic Security Profile.