CVE-2013-6440 — Sensitive Information Exposure in Opensaml

CWE-200 — Sensitive Information Exposure CWE-611 — XML External Entity (XXE) Injection6 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

0.8%

top 26.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Shibboleth Opensaml Internet2 Opensaml

Timeline

PublishedFeb 14

Latest updateMay 13

Description

The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶NVDshibboleth/opensaml2.6.0+8

▶NVDinternet2/opensaml2.0, 2.1.0, 2.2.0+2

🔴Vulnerability Details

GHSA

Exposure of Sensitive Information to an Unauthorized Actor in OpenSAML↗2022-05-13

▶

OSV

Exposure of Sensitive Information to an Unauthorized Actor in OpenSAML↗2022-05-13

▶

CVEList

CVE-2013-6440: The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2↗2014-02-14

▶

📋Vendor Advisories

Red Hat

Java: XML eXternal Entity (XXE) flaw in ParserPool and Decrypter↗2013-12-11

▶

💬Community

Bugzilla

CVE-2013-6440 XMLTooling-J/OpenSAML Java: XML eXternal Entity (XXE) flaw in ParserPool and Decrypter↗2013-12-16

▶