FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

opensaml2 -- unauthenticated login

Affected packages
0 < opensaml2 < 2.4.3

Details

VuXML ID 9f14cb36-b6fc-11e0-a044-445c73746d79
Discovery 2011-07-25
Entry 2011-07-25

OpenSAML developer reports:

The Shibboleth software relies on the OpenSAML libraries to perform verification of signed XML messages such as attribute queries or SAML assertions. Both the Java and C++ versions are vulnerable to a so-called "wrapping attack" that allows a remote, unauthenticated attacker to craft specially formed messages that can be successfully verified, but contain arbitrary content.

References

CVE Name CVE-2011-1411
Message CA530061.113D6%cantor.2@osu.edu