Vulnerabilities (CVE)

Filtered by vendor Shibboleth Subscribe
Filtered by product Opensaml
Total 3 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-16853 2 Debian, Shibboleth 2 Debian Linux, Opensaml 2024-11-21 6.8 MEDIUM 8.1 HIGH
The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka CPPOST-105.
CVE-2013-6440 2 Internet2, Shibboleth 2 Opensaml, Opensaml 2024-11-21 5.0 MEDIUM N/A
The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.
CVE-2011-1411 1 Shibboleth 2 Opensaml, Shibboleth-identity-provider 2024-11-21 5.8 MEDIUM N/A
Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."