5 results (0.010 seconds)

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0

Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.) • https://shibboleth.net/community/advisories/secadv_20230612.txt https://www.debian.org/security/2023/dsa-5432 • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 7.5EPSS: 2%CPEs: 7EXPL: 0

The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type. La libreria XMLTooling, en todas las versiones anteriores a la V3.0.4, suministrada con el software OpenSAML y Shibboleth Service Provider, contiene una clase de parser XML. Los datos no válidos en la declaración XML causan una excepción de un tipo debido a que se manejó de forma incorrecta en la clase parser y propaga un tipo de excepción inesperado. • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00079.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00095.html https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912 https://security.netapp.com/advisory/ntap-20190611-0003 https://shibboleth.net/community/advisories/secadv_20190311.txt https://usn.ubuntu.com/3921-1 https://wiki.shibboleth.net/confluence/display/SP3/SecurityAdvisories • CWE-755: Improper Handling of Exceptional Conditions •

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0

XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not properly handle integer conversion exceptions, which allows remote attackers to cause a denial of service (crash) via schema-invalid XML data. Vulnerabilidad en XMLTooling-C en versión anterior a 1.5.5, tal como se utiliza en OpenSAML-C y Shibboleth Service Provider (SP), no maneja correctamente las excepciones de conversión de entero, lo que permite a atacantes remotos provocar una denegación de servicio (caída) a través de datos XML de esquema no válido. • http://shibboleth.net/community/advisories/secadv_20150721.txt http://www.debian.org/security/2015/dsa-3321 http://www.securityfocus.com/bid/76134 https://git.shibboleth.net/view/?p=cpp-xmltooling.git%3Ba=commitdiff%3Bh=2d795c731e6729309044607154978696a87fd900 • CWE-189: Numeric Errors •

CVSS: 9.3EPSS: 3%CPEs: 14EXPL: 0

Buffer overflow in OpenSAML before 1.1.3 as used in Internet2 Shibboleth Service Provider software 1.3.x before 1.3.4, and XMLTooling before 1.2.2 as used in Internet2 Shibboleth Service Provider software 2.x before 2.2.1, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed encoded URL. Desbordamiento de búfer en OpenSAML anterior a v1.1.3 utilizado en Internet2 Shibboleth Service Provider software v1.3.x anterior a v1.3.4, y XMLTooling anterior a v1.2.2 utilizado en Internet2 Shibboleth Service Provider software v2.x anterior a 2.2.1, permite a atacantes remotos provocar una denegación de servicio y posiblemente ejecutar código de su elección a través de una URL codificada mal formada. • http://secunia.com/advisories/36869 http://secunia.com/advisories/36870 http://shibboleth.internet2.edu/secadv/secadv_20090826.txt http://www.securityfocus.com/bid/36514 https://exchange.xforce.ibmcloud.com/vulnerabilities/53471 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •

CVSS: 7.5EPSS: 0%CPEs: 14EXPL: 0

OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate. OpenSAML v2.x anterior a v2.2.1 y XMLTooling v1.x anterior a v1.2.1, utilizado por Internet2 Shibboleth Service Provider v2.x anterior a v2.2.1,no siguen el atributo Use del elemento KeyDescriptor, lo cual permite a atacantes remotos utilizar un certificado para la firma y encriptación, cuando esta designado para un solo fin, debilitando potencialmente el propósito de aplicación de seguridad del certificado. • http://secunia.com/advisories/36855 http://secunia.com/advisories/36868 http://secunia.com/advisories/36876 http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt http://www.debian.org/security/2009/dsa-1895 http://www.debian.org/security/2009/dsa-1896 http://www.securityfocus.com/bid/36516 https://bugs.internet2.edu/jira/browse/CPPOST-28 https://exchange.xforce.ibmcloud.com/vulnerabilities/53474 • CWE-310: Cryptographic Issues •