CVE-2013-6440

CVSS v2.0 5 (Medium)

EPSS 0.27 % (68^th)

Affected Products 2

Advisories 1

The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.

Weaknesses

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CVE Status: PUBLISHED
CNA: Red Hat, Inc.
Published Date: 2014-02-14 15:55:05
(10 years ago)
Updated Date: 2022-02-07 16:15:12
(2 years ago)

Affected Products

Internet2

Opensaml

Shibboleth

Opensaml

Configuration #1

	CPE23	Up To
Internet2 Opensaml 2.0	cpe:2.3:a:internet2:opensaml:2.0
Internet2 Opensaml 2.1.0	cpe:2.3:a:internet2:opensaml:2.1.0
Internet2 Opensaml 2.2.0	cpe:2.3:a:internet2:opensaml:2.2.0
Shibboleth Opensaml 2.6.0 and prior versions	cpe:2.3:a:shibboleth:opensaml	<= 2.6.0
Shibboleth Opensaml 2.4.0	cpe:2.3:a:shibboleth:opensaml:2.4.0
Shibboleth Opensaml 2.4.1	cpe:2.3:a:shibboleth:opensaml:2.4.1
Shibboleth Opensaml 2.4.2	cpe:2.3:a:shibboleth:opensaml:2.4.2
Shibboleth Opensaml 2.4.3	cpe:2.3:a:shibboleth:opensaml:2.4.3
Shibboleth Opensaml 2.5.0	cpe:2.3:a:shibboleth:opensaml:2.5.0
Shibboleth Opensaml 2.5.1	cpe:2.3:a:shibboleth:opensaml:2.5.1
Shibboleth Opensaml 2.5.2	cpe:2.3:a:shibboleth:opensaml:2.5.2
Shibboleth Opensaml 2.5.3	cpe:2.3:a:shibboleth:opensaml:2.5.3