VYPR

Opensaml

by Internet2

CVEs (6)

  • CVE-2017-16853HigNov 16, 2017
    risk 0.53cvss 8.1epss 0.01

    The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification,…

  • CVE-2025-31335MedMar 28, 2025
    risk 0.26cvss 4.0epss 0.00

    The OpenSAML C++ library before 3.3.1 allows forging of signed SAML messages via parameter manipulation (when using SAML bindings that rely on non-XML signatures).

  • CVE-2013-6440Feb 14, 2014
    risk 0.00cvss epss 0.03

    The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML…

  • CVE-2011-1411Sep 2, 2011
    risk 0.00cvss epss 0.02

    Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."

  • CVE-2009-3476Sep 29, 2009
    risk 0.00cvss epss 0.04

    Buffer overflow in OpenSAML before 1.1.3 as used in Internet2 Shibboleth Service Provider software 1.3.x before 1.3.4, and XMLTooling before 1.2.2 as used in Internet2 Shibboleth Service Provider software 2.x before 2.2.1, allows remote attackers to cause a denial of service and…

  • CVE-2009-3474Sep 29, 2009
    risk 0.00cvss epss 0.02

    OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is…