Description
Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
http://shibboleth.internet2.edu/secadv/secadv_20110725.txt
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2011/dsa-2284
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/50994
Vendor Advisory x_refsource_confirm
http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
Scores
EPSS
0.0229
EPSS Percentile
81.1%
Details
CWE
CWE-287
Status
published
Products (16)
org.opensaml/opensaml
2.4.0 - 2.4.3Maven
shibboleth/opensaml
2.4.0
shibboleth/opensaml
2.4.1
shibboleth/opensaml
2.4.2
shibboleth/opensaml
2.5.0
shibboleth/shibboleth-identity-provider
2.0.0
shibboleth/shibboleth-identity-provider
2.1.0
shibboleth/shibboleth-identity-provider
2.1.1
shibboleth/shibboleth-identity-provider
2.1.2
shibboleth/shibboleth-identity-provider
2.1.3
... and 6 more
Published
Sep 02, 2011
Tracked Since
Feb 18, 2026