You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Nikhil (Jira)" <ji...@apache.org> on 2021/04/07 10:04:00 UTC
[jira] [Updated] (TOMEE-2997) Update OpenSAML to V3.4.6 or later
[ https://issues.apache.org/jira/browse/TOMEE-2997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nikhil updated TOMEE-2997:
--------------------------
Attachment: opensaml_files.png
> Update OpenSAML to V3.4.6 or later
> ----------------------------------
>
> Key: TOMEE-2997
> URL: https://issues.apache.org/jira/browse/TOMEE-2997
> Project: TomEE
> Issue Type: Dependency upgrade
> Components: TomEE Core Server
> Affects Versions: 8.0.6
> Reporter: Nikhil
> Priority: Major
> Attachments: opensaml_files.png
>
>
> TomEE latest available version 8.0.6 has the opensaml component version 3.3.1 which is vulnerable to security issues mentioned below -
>
> h1. Vulnerability Details
> h2. CVE-2020-27978
> *Vulnerability Published:* 2020-10-28 11:15 EDT
> *Vulnerability Updated:* 2020-10-28 12:26 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in issue comments)
> *Summary*: Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw. A remote unauthenticated attacker can cause a login flow to trigger Java heap exhaustion due to the creation of objects in the Java Servlet container session.
> h2. BDSA-2019-4785
> *Affected Component(s):* OpenSAML 2.0
> *Vulnerability Published:* 2020-10-29 11:37 EDT
> *Vulnerability Updated:* 2020-10-29 11:37 EDT
> *CVSS Score:* 6.5 (overall), {color:#FF0000}7.5{color} (base)
> *Summary*: Shibboleth Identity Provider is vulnerable to denial-of-service (DoS) due to improper processing of authentication webflows. An attacker could exploit this vulnerability by supplying a system with maliciously crafted requests.
> ------------
>
> The issue is fixed in version 3.4.6 or later
--
This message was sent by Atlassian Jira
(v8.3.4#803005)