CVE-2013-6440
published 2014-02-14CVE-2013-6440: The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the…
PriorityP429medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
2.75%
84.4th percentile
The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| internet2 | opensaml | — | — |
| internet2 | opensaml | — | — |
| internet2 | opensaml | — | — |
| shibboleth | opensaml | <= 2.6.0 | — |
| shibboleth | opensaml | — | — |
| shibboleth | opensaml | — | — |
| shibboleth | opensaml | — | — |
| shibboleth | opensaml | — | — |
| shibboleth | opensaml | — | — |
| shibboleth | opensaml | — | — |
| shibboleth | opensaml | — | — |
| shibboleth | opensaml | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Exposure of Sensitive Information to an Unauthorized Actor in OpenSAML
ghsa·2022-05-13
CVE-2013-6440 [MEDIUM] CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in OpenSAML
Exposure of Sensitive Information to an Unauthorized Actor in OpenSAML
The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.
OSV
Exposure of Sensitive Information to an Unauthorized Actor in OpenSAML
osv·2022-05-13
CVE-2013-6440 [MEDIUM] Exposure of Sensitive Information to an Unauthorized Actor in OpenSAML
Exposure of Sensitive Information to an Unauthorized Actor in OpenSAML
The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.
Red Hat
Java: XML eXternal Entity (XXE) flaw in ParserPool and Decrypter
vendor_redhat·2013-12-11·CVSS 5.0
CVE-2013-6440 [MEDIUM] CWE-611 Java: XML eXternal Entity (XXE) flaw in ParserPool and Decrypter
Java: XML eXternal Entity (XXE) flaw in ParserPool and Decrypter
The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.
It was found that the ParserPool and Decrypter classes in the OpenSAML Java implementation resolved external entities, permitting XML External Entity (XXE) attacks. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Package: xmltooling (Red Hat JBoss Data Virtualization 6) - Not affected
Package: xmltooling (Red Hat JB
No detection rules found.
No public exploits indexed.
http://blog.sendsafely.com/post/69590974866/web-based-single-sign-on-and-the-dangers-of-saml-xmlhttp://rhn.redhat.com/errata/RHSA-2014-0170.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0171.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0172.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0195.htmlhttp://shibboleth.net/community/advisories/secadv_20131213.txthttps://bugzilla.redhat.com/show_bug.cgi?id=1043332https://www.oracle.com/security-alerts/cpujan2022.htmlhttp://blog.sendsafely.com/post/69590974866/web-based-single-sign-on-and-the-dangers-of-saml-xmlhttp://rhn.redhat.com/errata/RHSA-2014-0170.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0171.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0172.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0195.htmlhttp://shibboleth.net/community/advisories/secadv_20131213.txthttps://bugzilla.redhat.com/show_bug.cgi?id=1043332https://www.oracle.com/security-alerts/cpujan2022.html
2014-02-14
Published