Improper Authentication in OpenSAML

Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."...

br.com.esec.icpm:certillion-client-library (>=1.1.7 <=1.2.0), br.com.esec.icpm:certillion-client-library-resteasy-plugin (>=1.1.9 <=1.1.10) +415 more potentially affected by CVE-2011-1411 via org.opensaml:opensaml (=2.5.1-1)

org.opensaml:opensaml MAVEN version =2.5.1-1 is affected by a known vulnerability. The following packages have a transitive dependency on org.opensaml:opensaml and may be impacted: - br.com.esec.icpm:certillion-client-library =1.1.7, =1.1.9, =1.2.5, =2.0.0, =12.1.0, =12.1.1, =12.1.2, =12.1.0,...

GHSA-QWWJ-QJ3F-9HV7 Improper Authentication in OpenSAML

Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."...

Improper Certificate Validation in Shibboleth Identity Provider and OpenSAML

The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java OpenSAML-J before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a...

br.com.esec.icpm:certillion-client-library (>=1.1.7 <=1.2.0), br.com.esec.icpm:certillion-client-library-resteasy-plugin (>=1.1.9 <=1.1.10) +870 more potentially affected by CVE-2015-1796 via org.opensaml:opensaml (>=1.1 <=2.6.4)

org.opensaml:opensaml MAVEN version =1.1, =1.1.7, =1.1.9, =1.2.5, =1.2.1, =3.0.0, =12.1.0, =12.1.1, =12.1.2, =12.1.0, =12.1.4, =1.0.83-RC1, =1.0.88-RC1, =1.0.83-RC1, =1.0.112-RELEASE and more Source cves: CVE-2015-1796 Source advisory: OSV:GHSA-78FQ-W796-Q537...

GHSA-78FQ-W796-Q537 Improper Certificate Validation in Shibboleth Identity Provider and OpenSAML

The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java OpenSAML-J before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a...

br.com.esec.icpm:certillion-client-library (>=1.1.7 <=1.2.0), br.com.esec.icpm:certillion-client-library-resteasy-plugin (>=1.1.9 <=1.1.10) +811 more potentially affected by CVE-2014-3603 via org.opensaml:opensaml (>=1.1 <=2.6.1)

org.opensaml:opensaml MAVEN version =1.1, =1.1.7, =1.1.9, =1.2.5, =1.2.1, =12.1.0, =12.1.1, =12.1.2, =12.1.0, =12.1.4, =1.0.83-RC1, =1.0.88-RC1, =1.0.83-RC1, =1.0.83-RC1, =1.0.112-RELEASE and more Source cves: CVE-2014-3603 Source advisory: OSV:GHSA-RM7V-GQFG-P2WC...

Improper Validation of Certificate with Host Mismatch in Shibboleth Identity Provider and OpenSAML Java

The 1 HttpResource and 2 FileBackedHttpResource implementations in Shibboleth Identity Provider IdP before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows...

GHSA-RM7V-GQFG-P2WC Improper Validation of Certificate with Host Mismatch in Shibboleth Identity Provider and OpenSAML Java

The 1 HttpResource and 2 FileBackedHttpResource implementations in Shibboleth Identity Provider IdP before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows...

Exposure of Sensitive Information to an Unauthorized Actor in OpenSAML

The 1 BasicParserPool, 2 StaticBasicParserPool, 3 XML Decrypter, and 4 SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity XXE attacks via a crafted XML DOCTYPE declaration...

GHSA-V723-58JV-2QC4 Exposure of Sensitive Information to an Unauthorized Actor in OpenSAML

The 1 BasicParserPool, 2 StaticBasicParserPool, 3 XML Decrypter, and 4 SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity XXE attacks via a crafted XML DOCTYPE declaration...

XMLTooling Library Incorrectly Handles Some Exceptions

The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected...

GHSA-6HVF-XVWM-VRW4 XMLTooling Library Incorrectly Handles Some Exceptions

The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected...

SUSE: Security Advisory (SUSE-SU-2017:3234-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Security Bulletin: IBM Resilient SOAR is using opensaml-2.6.4.jar that could be vulnerable to bypass security restrictions (CVE-2015-1796)

Summary opensaml-2.6.4.jar vulnerable to CVE-2015-1796, Shibboleth Identity Provider could allow a remote attacker to bypass security restrictions, caused by an error in the PKIX trust component. An attacker could exploit this vulnerability using a certificate issued by the shibmd:KeyAuthority...

Security Bulletin: Man in the middle vulnerability CVE-2014-3603 affects Websphere Liberty and OpenLiberty used by MobileFirst Platform Foundation

Summary IBM MobileFirst Platform Foundation has addressed the following vulnerability.Man in the middle vulnerability CVE-2014-3603 affects Websphere Liberty and OpenLiberty Vulnerability Details CVEID: CVE-2014-3603 DESCRIPTION: Shibboleth Identity Provider IdP and OpenSAML Java could allow a...

Security Bulletin: Vulnerabilities in Websphere Liberty and OpenLiberty

Summary There are vulnerabilities in Websphere Liberty used by IBM Streams. IBM Streams has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2014-3603 DESCRIPTION: The 1 HttpResource and 2 FileBackedHttpResource implementations in Shibboleth Identity Provider IdP before 2.4.1 and...

Security Bulletin: Rational Asset Analyzer (RAA) is affected by a WAS vulnerability.

Summary Rational Asset Analyzer RAA has addressed the following vulnerability in WAS. Vulnerability Details CVEID: CVE-2014-3603 DESCRIPTION: The 1 HttpResource and 2 FileBackedHttpResource implementations in Shibboleth Identity Provider IdP before 2.4.1 and OpenSAML Java 2.6.2 do not verify that...

eIDAS-Node 2.3 Authentication Bypass Exploit

Exploit for multiple platform in category web applications ======================================================================= title: Authentication Bypass product: eIDAS-Node vulnerable version: =v2.3 v2.1 vulnerability 2 fixed version: v2.3.1 CVE number: - impact: critical homepage:...

Design/Logic Flaw

The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected...