4 results (0.002 seconds)

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0

Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.) • https://shibboleth.net/community/advisories/secadv_20230612.txt https://www.debian.org/security/2023/dsa-5432 • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 7.5EPSS: 2%CPEs: 7EXPL: 0

The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type. La libreria XMLTooling, en todas las versiones anteriores a la V3.0.4, suministrada con el software OpenSAML y Shibboleth Service Provider, contiene una clase de parser XML. Los datos no válidos en la declaración XML causan una excepción de un tipo debido a que se manejó de forma incorrecta en la clase parser y propaga un tipo de excepción inesperado. • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00079.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00095.html https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912 https://security.netapp.com/advisory/ntap-20190611-0003 https://shibboleth.net/community/advisories/secadv_20190311.txt https://usn.ubuntu.com/3921-1 https://wiki.shibboleth.net/confluence/display/SP3/SecurityAdvisories • CWE-755: Improper Handling of Exceptional Conditions •

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0

XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not properly handle integer conversion exceptions, which allows remote attackers to cause a denial of service (crash) via schema-invalid XML data. Vulnerabilidad en XMLTooling-C en versión anterior a 1.5.5, tal como se utiliza en OpenSAML-C y Shibboleth Service Provider (SP), no maneja correctamente las excepciones de conversión de entero, lo que permite a atacantes remotos provocar una denegación de servicio (caída) a través de datos XML de esquema no válido. • http://shibboleth.net/community/advisories/secadv_20150721.txt http://www.debian.org/security/2015/dsa-3321 http://www.securityfocus.com/bid/76134 https://git.shibboleth.net/view/?p=cpp-xmltooling.git%3Ba=commitdiff%3Bh=2d795c731e6729309044607154978696a87fd900 • CWE-189: Numeric Errors •

CVSS: 9.3EPSS: 3%CPEs: 14EXPL: 0

Buffer overflow in OpenSAML before 1.1.3 as used in Internet2 Shibboleth Service Provider software 1.3.x before 1.3.4, and XMLTooling before 1.2.2 as used in Internet2 Shibboleth Service Provider software 2.x before 2.2.1, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed encoded URL. Desbordamiento de búfer en OpenSAML anterior a v1.1.3 utilizado en Internet2 Shibboleth Service Provider software v1.3.x anterior a v1.3.4, y XMLTooling anterior a v1.2.2 utilizado en Internet2 Shibboleth Service Provider software v2.x anterior a 2.2.1, permite a atacantes remotos provocar una denegación de servicio y posiblemente ejecutar código de su elección a través de una URL codificada mal formada. • http://secunia.com/advisories/36869 http://secunia.com/advisories/36870 http://shibboleth.internet2.edu/secadv/secadv_20090826.txt http://www.securityfocus.com/bid/36514 https://exchange.xforce.ibmcloud.com/vulnerabilities/53471 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •