Search for packages
| purl | pkg:maven/org.opensaml/opensaml@2.5.3 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2r1u-v64e-jbbw
Aliases: CVE-2014-3603 GHSA-rm7v-gqfg-p2wc |
Improper Validation of Certificate with Host Mismatch The (1) `HttpResource` and (2) `FileBackedHttpResource` implementations in OpenSAML do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or `subjectAltName` field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-grv5-69mv-5fdr
Aliases: CVE-2015-1796 GHSA-78fq-w796-q537 |
Improper Certificate Validation in Shibboleth Identity Provider and OpenSAML The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor. |
Affected by 0 other vulnerabilities. |
|
VCID-z9nz-nkff-kfez
Aliases: CVE-2013-6440 GHSA-v723-58jv-2qc4 |
XML eXternal Entity (XXE) flaw in ParserPool and Decrypter The `BasicParserPool`, `StaticBasicParserPool`, XML Decrypter, and SAML Decrypter in this package set the expandEntityReferences property to `true`, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||