VYPR

Maven package

org.opensaml/opensaml

pkg:maven/org.opensaml/opensaml

Vulnerabilities (4)

  • CVE-2014-3603Apr 4, 2019
    affected < 2.6.2fixed 2.6.2

    The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certi

  • CVE-2015-1796Jul 8, 2015
    affected < 2.6.5fixed 2.6.5

    The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued

  • CVE-2013-6440Feb 14, 2014
    affected < 2.6.1fixed 2.6.1

    The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOC

  • CVE-2011-1411Sep 2, 2011
    affected >= 2.4.0, < 2.4.3fixed 2.4.3

    Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."