Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2013-6440

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2013-6440
Last Modified 05 Mar 2014 11:49:32
Published 14 Feb 2014 10:55:05
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2013-6440

Summary

The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.

Vulnerable Systems

Application

  • Internet2 Opensaml 2.0

  • Internet2 Opensaml 2.1.0

  • Internet2 Opensaml 2.2.0

  • Shibboleth Opensaml 2.4.0

  • Shibboleth Opensaml 2.4.1

  • Shibboleth Opensaml 2.4.2

  • Shibboleth Opensaml 2.4.3

  • Shibboleth Opensaml 2.5.0

  • Shibboleth Opensaml 2.5.1

  • Shibboleth Opensaml 2.5.2

  • Shibboleth Opensaml 2.5.3

  • Shibboleth Opensaml 2.6.0


References

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1043332

CONFIRM - http://shibboleth.net/community/advisories/secadv_20131213.txt

REDHAT - RHSA-2014:0172

REDHAT - RHSA-2014:0171

REDHAT - RHSA-2014:0170

MISC - http://blog.sendsafely.com/post/69590974866/web-based-single-sign-on-and-the-dangers-of-saml-xml

REDHAT - RHSA-2014:0195


Last Updated: 27 May 2016 11:04:28