Opensaml

opensaml

Vendor: Shibboleth • 3 CVEs

CVEs (3)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2017-16853 2Debian Shibboleth 2Debian Linux Opensaml May 13, 2026 Nov 16, 2017 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform cri...Show more The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka CPPOST-105.Show less
CVE-2013-6440 2Internet2 Shibboleth 2Opensaml Opensaml Apr 29, 2026 Feb 14, 2014 N/A· v4 N/A· v3 5.0 MEDIUM· v2 The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to con...Show more The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.Show less
CVE-2011-1411 1Shibboleth 2Opensaml Shibboleth Identity Provider Apr 29, 2026 Sep 2, 2011 N/A· v4 N/A· v3 5.8 MEDIUM· v2 Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."