OpenAthens SP for Java SAML Assertion Signature Validation
OpenAthens SP for Java SAML Assertion Signature Validation Vulnerability
Release Date : 2012-10-24
Criticality level : Less critical
Impact : Security Bypass
Where : From remote
Solution Status : Vendor Patch
Software: OpenAthens SP 2.x
A vulnerability has been reported in OpenAthens SP, which can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to an error when validating signatures for a SAML assertion. This can be exploited to gain access to protected resources via a specially crafted XML document.
The vulnerability is reported in versions prior to 2.01.
Update to version 2.01.
Provided and/or discovered by:
Juraj Somorovsky, Andreas Mayer, Jorg Schwenk, Marco Kampmann, and Meiko Jensen1 via "On Breaking SAML" paper.
"On Breaking SAML":