Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    6 vulnerabilities found for opensaml by internet2

    CVE-2013-6440 (GCVE-0-2013-6440)

    Vulnerability from nvd – Published: 2014-02-14 15:00 – Updated: 2024-08-06 17:39
    VLAI
    Summary
    The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Date Public
    2013-12-13 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T17:39:01.299Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2014:0170",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2014-0170.html"
              },
              {
                "name": "RHSA-2014:0195",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2014-0195.html"
              },
              {
                "name": "RHSA-2014:0172",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2014-0172.html"
              },
              {
                "name": "RHSA-2014:0171",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2014-0171.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://blog.sendsafely.com/post/69590974866/web-based-single-sign-on-and-the-dangers-of-saml-xml"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://shibboleth.net/community/advisories/secadv_20131213.txt"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1043332"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2013-12-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-07T14:39:58.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2014:0170",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0170.html"
            },
            {
              "name": "RHSA-2014:0195",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0195.html"
            },
            {
              "name": "RHSA-2014:0172",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0172.html"
            },
            {
              "name": "RHSA-2014:0171",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0171.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://blog.sendsafely.com/post/69590974866/web-based-single-sign-on-and-the-dangers-of-saml-xml"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://shibboleth.net/community/advisories/secadv_20131213.txt"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1043332"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2013-6440",
        "datePublished": "2014-02-14T15:00:00.000Z",
        "dateReserved": "2013-11-04T00:00:00.000Z",
        "dateUpdated": "2024-08-06T17:39:01.299Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2009-3476 (GCVE-0-2009-3476)

    Vulnerability from nvd – Published: 2009-09-29 23:00 – Updated: 2024-08-07 06:31
    VLAI
    Summary
    Buffer overflow in OpenSAML before 1.1.3 as used in Internet2 Shibboleth Service Provider software 1.3.x before 1.3.4, and XMLTooling before 1.2.2 as used in Internet2 Shibboleth Service Provider software 2.x before 2.2.1, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed encoded URL.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://secunia.com/advisories/36870 third-party-advisoryx_refsource_SECUNIA
    http://www.securityfocus.com/bid/36514 vdb-entryx_refsource_BID
    http://secunia.com/advisories/36869 third-party-advisoryx_refsource_SECUNIA
    https://exchange.xforce.ibmcloud.com/vulnerabilit… vdb-entryx_refsource_XF
    http://shibboleth.internet2.edu/secadv/secadv_200… x_refsource_CONFIRM
    Date Public
    2009-08-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-07T06:31:09.966Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "36870",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/36870"
              },
              {
                "name": "36514",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/36514"
              },
              {
                "name": "36869",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/36869"
              },
              {
                "name": "opensaml-xmltooling-url-bo(53471)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53471"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://shibboleth.internet2.edu/secadv/secadv_20090826.txt"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2009-08-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Buffer overflow in OpenSAML before 1.1.3 as used in Internet2 Shibboleth Service Provider software 1.3.x before 1.3.4, and XMLTooling before 1.2.2 as used in Internet2 Shibboleth Service Provider software 2.x before 2.2.1, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed encoded URL."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-08-16T14:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "36870",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/36870"
            },
            {
              "name": "36514",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/36514"
            },
            {
              "name": "36869",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/36869"
            },
            {
              "name": "opensaml-xmltooling-url-bo(53471)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53471"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://shibboleth.internet2.edu/secadv/secadv_20090826.txt"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2009-3476",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Buffer overflow in OpenSAML before 1.1.3 as used in Internet2 Shibboleth Service Provider software 1.3.x before 1.3.4, and XMLTooling before 1.2.2 as used in Internet2 Shibboleth Service Provider software 2.x before 2.2.1, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed encoded URL."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "36870",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/36870"
                },
                {
                  "name": "36514",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/36514"
                },
                {
                  "name": "36869",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/36869"
                },
                {
                  "name": "opensaml-xmltooling-url-bo(53471)",
                  "refsource": "XF",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53471"
                },
                {
                  "name": "http://shibboleth.internet2.edu/secadv/secadv_20090826.txt",
                  "refsource": "CONFIRM",
                  "url": "http://shibboleth.internet2.edu/secadv/secadv_20090826.txt"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2009-3476",
        "datePublished": "2009-09-29T23:00:00.000Z",
        "dateReserved": "2009-09-29T00:00:00.000Z",
        "dateUpdated": "2024-08-07T06:31:09.966Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2009-3474 (GCVE-0-2009-3474)

    Vulnerability from nvd – Published: 2009-09-29 23:00 – Updated: 2024-08-07 06:31
    VLAI
    Summary
    OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://www.securityfocus.com/bid/36516 vdb-entryx_refsource_BID
    https://exchange.xforce.ibmcloud.com/vulnerabilit… vdb-entryx_refsource_XF
    http://shibboleth.internet2.edu/secadv/secadv_200… x_refsource_CONFIRM
    http://secunia.com/advisories/36876 third-party-advisoryx_refsource_SECUNIA
    http://www.debian.org/security/2009/dsa-1896 vendor-advisoryx_refsource_DEBIAN
    http://secunia.com/advisories/36868 third-party-advisoryx_refsource_SECUNIA
    http://www.debian.org/security/2009/dsa-1895 vendor-advisoryx_refsource_DEBIAN
    https://bugs.internet2.edu/jira/browse/CPPOST-28 x_refsource_CONFIRM
    http://secunia.com/advisories/36855 third-party-advisoryx_refsource_SECUNIA
    Date Public
    2009-08-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-07T06:31:10.133Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "36516",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/36516"
              },
              {
                "name": "opensaml-keydescriptor-security-bypass(53474)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53474"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt"
              },
              {
                "name": "36876",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/36876"
              },
              {
                "name": "DSA-1896",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "http://www.debian.org/security/2009/dsa-1896"
              },
              {
                "name": "36868",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/36868"
              },
              {
                "name": "DSA-1895",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "http://www.debian.org/security/2009/dsa-1895"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugs.internet2.edu/jira/browse/CPPOST-28"
              },
              {
                "name": "36855",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/36855"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2009-08-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element\u0027s Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-08-16T14:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "36516",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/36516"
            },
            {
              "name": "opensaml-keydescriptor-security-bypass(53474)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53474"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt"
            },
            {
              "name": "36876",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/36876"
            },
            {
              "name": "DSA-1896",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "http://www.debian.org/security/2009/dsa-1896"
            },
            {
              "name": "36868",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/36868"
            },
            {
              "name": "DSA-1895",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "http://www.debian.org/security/2009/dsa-1895"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugs.internet2.edu/jira/browse/CPPOST-28"
            },
            {
              "name": "36855",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/36855"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2009-3474",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element\u0027s Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "36516",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/36516"
                },
                {
                  "name": "opensaml-keydescriptor-security-bypass(53474)",
                  "refsource": "XF",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53474"
                },
                {
                  "name": "http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt",
                  "refsource": "CONFIRM",
                  "url": "http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt"
                },
                {
                  "name": "36876",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/36876"
                },
                {
                  "name": "DSA-1896",
                  "refsource": "DEBIAN",
                  "url": "http://www.debian.org/security/2009/dsa-1896"
                },
                {
                  "name": "36868",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/36868"
                },
                {
                  "name": "DSA-1895",
                  "refsource": "DEBIAN",
                  "url": "http://www.debian.org/security/2009/dsa-1895"
                },
                {
                  "name": "https://bugs.internet2.edu/jira/browse/CPPOST-28",
                  "refsource": "CONFIRM",
                  "url": "https://bugs.internet2.edu/jira/browse/CPPOST-28"
                },
                {
                  "name": "36855",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/36855"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2009-3474",
        "datePublished": "2009-09-29T23:00:00.000Z",
        "dateReserved": "2009-09-29T00:00:00.000Z",
        "dateUpdated": "2024-08-07T06:31:10.133Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2013-6440 (GCVE-0-2013-6440)

    Vulnerability from cvelistv5 – Published: 2014-02-14 15:00 – Updated: 2024-08-06 17:39
    VLAI
    Summary
    The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Date Public
    2013-12-13 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T17:39:01.299Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2014:0170",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2014-0170.html"
              },
              {
                "name": "RHSA-2014:0195",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2014-0195.html"
              },
              {
                "name": "RHSA-2014:0172",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2014-0172.html"
              },
              {
                "name": "RHSA-2014:0171",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "http://rhn.redhat.com/errata/RHSA-2014-0171.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://blog.sendsafely.com/post/69590974866/web-based-single-sign-on-and-the-dangers-of-saml-xml"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://shibboleth.net/community/advisories/secadv_20131213.txt"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1043332"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2013-12-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-07T14:39:58.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2014:0170",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0170.html"
            },
            {
              "name": "RHSA-2014:0195",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0195.html"
            },
            {
              "name": "RHSA-2014:0172",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0172.html"
            },
            {
              "name": "RHSA-2014:0171",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0171.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://blog.sendsafely.com/post/69590974866/web-based-single-sign-on-and-the-dangers-of-saml-xml"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://shibboleth.net/community/advisories/secadv_20131213.txt"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1043332"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2013-6440",
        "datePublished": "2014-02-14T15:00:00.000Z",
        "dateReserved": "2013-11-04T00:00:00.000Z",
        "dateUpdated": "2024-08-06T17:39:01.299Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2009-3474 (GCVE-0-2009-3474)

    Vulnerability from cvelistv5 – Published: 2009-09-29 23:00 – Updated: 2024-08-07 06:31
    VLAI
    Summary
    OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://www.securityfocus.com/bid/36516 vdb-entryx_refsource_BID
    https://exchange.xforce.ibmcloud.com/vulnerabilit… vdb-entryx_refsource_XF
    http://shibboleth.internet2.edu/secadv/secadv_200… x_refsource_CONFIRM
    http://secunia.com/advisories/36876 third-party-advisoryx_refsource_SECUNIA
    http://www.debian.org/security/2009/dsa-1896 vendor-advisoryx_refsource_DEBIAN
    http://secunia.com/advisories/36868 third-party-advisoryx_refsource_SECUNIA
    http://www.debian.org/security/2009/dsa-1895 vendor-advisoryx_refsource_DEBIAN
    https://bugs.internet2.edu/jira/browse/CPPOST-28 x_refsource_CONFIRM
    http://secunia.com/advisories/36855 third-party-advisoryx_refsource_SECUNIA
    Date Public
    2009-08-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-07T06:31:10.133Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "36516",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/36516"
              },
              {
                "name": "opensaml-keydescriptor-security-bypass(53474)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53474"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt"
              },
              {
                "name": "36876",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/36876"
              },
              {
                "name": "DSA-1896",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "http://www.debian.org/security/2009/dsa-1896"
              },
              {
                "name": "36868",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/36868"
              },
              {
                "name": "DSA-1895",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "http://www.debian.org/security/2009/dsa-1895"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugs.internet2.edu/jira/browse/CPPOST-28"
              },
              {
                "name": "36855",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/36855"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2009-08-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element\u0027s Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-08-16T14:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "36516",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/36516"
            },
            {
              "name": "opensaml-keydescriptor-security-bypass(53474)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53474"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt"
            },
            {
              "name": "36876",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/36876"
            },
            {
              "name": "DSA-1896",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "http://www.debian.org/security/2009/dsa-1896"
            },
            {
              "name": "36868",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/36868"
            },
            {
              "name": "DSA-1895",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "http://www.debian.org/security/2009/dsa-1895"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugs.internet2.edu/jira/browse/CPPOST-28"
            },
            {
              "name": "36855",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/36855"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2009-3474",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element\u0027s Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "36516",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/36516"
                },
                {
                  "name": "opensaml-keydescriptor-security-bypass(53474)",
                  "refsource": "XF",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53474"
                },
                {
                  "name": "http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt",
                  "refsource": "CONFIRM",
                  "url": "http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt"
                },
                {
                  "name": "36876",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/36876"
                },
                {
                  "name": "DSA-1896",
                  "refsource": "DEBIAN",
                  "url": "http://www.debian.org/security/2009/dsa-1896"
                },
                {
                  "name": "36868",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/36868"
                },
                {
                  "name": "DSA-1895",
                  "refsource": "DEBIAN",
                  "url": "http://www.debian.org/security/2009/dsa-1895"
                },
                {
                  "name": "https://bugs.internet2.edu/jira/browse/CPPOST-28",
                  "refsource": "CONFIRM",
                  "url": "https://bugs.internet2.edu/jira/browse/CPPOST-28"
                },
                {
                  "name": "36855",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/36855"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2009-3474",
        "datePublished": "2009-09-29T23:00:00.000Z",
        "dateReserved": "2009-09-29T00:00:00.000Z",
        "dateUpdated": "2024-08-07T06:31:10.133Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2009-3476 (GCVE-0-2009-3476)

    Vulnerability from cvelistv5 – Published: 2009-09-29 23:00 – Updated: 2024-08-07 06:31
    VLAI
    Summary
    Buffer overflow in OpenSAML before 1.1.3 as used in Internet2 Shibboleth Service Provider software 1.3.x before 1.3.4, and XMLTooling before 1.2.2 as used in Internet2 Shibboleth Service Provider software 2.x before 2.2.1, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed encoded URL.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://secunia.com/advisories/36870 third-party-advisoryx_refsource_SECUNIA
    http://www.securityfocus.com/bid/36514 vdb-entryx_refsource_BID
    http://secunia.com/advisories/36869 third-party-advisoryx_refsource_SECUNIA
    https://exchange.xforce.ibmcloud.com/vulnerabilit… vdb-entryx_refsource_XF
    http://shibboleth.internet2.edu/secadv/secadv_200… x_refsource_CONFIRM
    Date Public
    2009-08-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-07T06:31:09.966Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "36870",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/36870"
              },
              {
                "name": "36514",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/36514"
              },
              {
                "name": "36869",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/36869"
              },
              {
                "name": "opensaml-xmltooling-url-bo(53471)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53471"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://shibboleth.internet2.edu/secadv/secadv_20090826.txt"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2009-08-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Buffer overflow in OpenSAML before 1.1.3 as used in Internet2 Shibboleth Service Provider software 1.3.x before 1.3.4, and XMLTooling before 1.2.2 as used in Internet2 Shibboleth Service Provider software 2.x before 2.2.1, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed encoded URL."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-08-16T14:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "36870",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/36870"
            },
            {
              "name": "36514",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/36514"
            },
            {
              "name": "36869",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/36869"
            },
            {
              "name": "opensaml-xmltooling-url-bo(53471)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53471"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://shibboleth.internet2.edu/secadv/secadv_20090826.txt"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2009-3476",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Buffer overflow in OpenSAML before 1.1.3 as used in Internet2 Shibboleth Service Provider software 1.3.x before 1.3.4, and XMLTooling before 1.2.2 as used in Internet2 Shibboleth Service Provider software 2.x before 2.2.1, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed encoded URL."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "36870",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/36870"
                },
                {
                  "name": "36514",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/36514"
                },
                {
                  "name": "36869",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/36869"
                },
                {
                  "name": "opensaml-xmltooling-url-bo(53471)",
                  "refsource": "XF",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53471"
                },
                {
                  "name": "http://shibboleth.internet2.edu/secadv/secadv_20090826.txt",
                  "refsource": "CONFIRM",
                  "url": "http://shibboleth.internet2.edu/secadv/secadv_20090826.txt"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2009-3476",
        "datePublished": "2009-09-29T23:00:00.000Z",
        "dateReserved": "2009-09-29T00:00:00.000Z",
        "dateUpdated": "2024-08-07T06:31:09.966Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }