CVE-2011-1411

Shibboleth OpenSAML <2.4.3, <2.5.1 - Auth Bypass

Title source: llm

Description

Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."

References (5)

[Vendor Advisory] http://shibboleth.internet2.edu/secadv/secadv_20110725.txt

[Vendor Advisory] http://www.mandriva.com/security/advisories?name=MDVSA-2013:150

[Vendor Advisory] http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html

[Third Party Advisory] http://www.debian.org/security/2011/dsa-2284

[Third Party Advisory] http://secunia.com/advisories/50994

Scores

EPSS 0.0028

EPSS Percentile 51.2%

Classification

CWE

CWE-287

Status draft

Affected Products (16)

shibboleth/opensaml

shibboleth/shibboleth-identity-provider < 2.3.1

shibboleth/shibboleth-identity-provider

... and 1 more

Timeline

Published Sep 02, 2011

Tracked Since Feb 18, 2026