CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
EPSS
Percentile
77.7%
OpenSAML developer reports:
The Shibboleth software relies on the OpenSAML libraries to
perform verification of signed XML messages such as attribute
queries or SAML assertions. Both the Java and C++ versions are
vulnerable to a so-called “wrapping attack” that allows a remote,
unauthenticated attacker to craft specially formed messages that
can be successfully verified, but contain arbitrary content.