The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java prior to 2.6.1 set the expandEntityReferences property to true, which allows remote malicious users to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
internet2 opensaml 2.2.0 |
||
internet2 opensaml 2.1.0 |
||
shibboleth opensaml 2.4.3 |
||
shibboleth opensaml 2.4.2 |
||
shibboleth opensaml 2.5.3 |
||
shibboleth opensaml |
||
shibboleth opensaml 2.5.1 |
||
shibboleth opensaml 2.5.0 |
||
internet2 opensaml 2.0 |
||
shibboleth opensaml 2.5.2 |
||
shibboleth opensaml 2.4.1 |
||
shibboleth opensaml 2.4.0 |