The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| shibboleth | opensaml | 2.4.1 |
| shibboleth | opensaml | 2.5.1 |
| shibboleth | opensaml | 2.5.2 |
| internet2 | opensaml | 2.0 |
| shibboleth | opensaml | * |
| shibboleth | opensaml | 2.5.0 |
| shibboleth | opensaml | 2.4.0 |
| internet2 | opensaml | 2.1.0 |
| shibboleth | opensaml | 2.4.2 |
| shibboleth | opensaml | 2.4.3 |
| internet2 | opensaml | 2.2.0 |
| shibboleth | opensaml | 2.5.3 |
Cross-site scripting (XSS) vulnerability in UiV2Public.index in Internet2 Grouper 2.2 and 2.3 allows remote attackers to inject arbitrary web script or HTML via the code parameter.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| internet2 | grouper | 2.2 |
| internet2 | grouper | 2.3 |
In Internet2 Grouper 5.17.1 before 5.20.5, group admins who are not Grouper sysadmins can configure loader jobs.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| cve@mitre.org | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N | 1.2 | 5.2 |
| nvd@nist.gov | 4.9 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N | 1.2 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| internet2 | grouper | * |