Lucene search

K

GoogleOSV:GHSA-V723-58JV-2QC4

HistoryMay 13, 2022 - 1:04 a.m.

Exposure of Sensitive Information to an Unauthorized Actor in OpenSAML

2022-05-1301:04:00

Google

osv.dev

25

opensaml

xxe attacks

sensitive information

EPSS

0.003

Percentile

67.8%

The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.

References

blog.sendsafely.com/post/69590974866/web-based-single-sign-on-and-the-dangers-of-saml-xml

rhn.redhat.com/errata/RHSA-2014-0170.html

rhn.redhat.com/errata/RHSA-2014-0171.html

rhn.redhat.com/errata/RHSA-2014-0172.html

rhn.redhat.com/errata/RHSA-2014-0195.html

shibboleth.net/community/advisories/secadv_20131213.txt

bugzilla.redhat.com/show_bug.cgi?id=1043332

nvd.nist.gov/vuln/detail/CVE-2013-6440

www.oracle.com/security-alerts/cpujan2022.html

EPSS

0.003

Percentile

67.8%

Related for OSV:GHSA-V723-58JV-2QC4

ibm9 nvd1 cvelist1 github1 prion1 cve1 debiancve1 ubuntucve1 redhat8 veracode1 nessus2