Description

Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."

Remediation

References

http://secunia.com/advisories/50994

http://shibboleth.internet2.edu/secadv/secadv_20110725.txt

http://www.debian.org/security/2011/dsa-2284

http://www.mandriva.com/security/advisories?name=MDVSA-2013:150

http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html

Related Vulnerabilities

CVE-2019-10303 Vulnerability in maven package org.jenkins-ci.plugins:azure-publishersettings-credentials

CVE-2015-8855 Vulnerability in npm package semver

CVE-2019-16540 Vulnerability in maven package org.jenkins-ci.plugins:support-core

CVE-2022-45397 Vulnerability in maven package org.jenkins-ci.plugins:osf-builder-suite-xml-linter

CVE-2018-1999036 Vulnerability in maven package org.jenkins-ci.plugins:ssh-agent

Severity

Critical

Classification

CWE-287

Tags

Vendor Advisory