1549361 – (CVE-2018-0489) CVE-2018-0489 openSAML: Mishandling of comments in SAML content can lead to bypass of signature verification

Bug 1549361 (CVE-2018-0489) - CVE-2018-0489 openSAML: Mishandling of comments in SAML content can lead to bypass of signature verification

Summary: CVE-2018-0489 openSAML: Mishandling of comments in SAML content can lead to b...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2018-0489
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1550480
Blocks:	1549318
TreeView+	depends on / blocked

Reported:	2018-02-27 00:43 UTC by Sam Fowler
Modified:	2021-06-10 14:52 UTC (History)
CC List:	28 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2019-06-08 03:41:25 UTC
Embargoed:

Attachments	(Terms of Use)

Description Sam Fowler 2018-02-27 00:43:05 UTC

openSAML does not properly verify comments in SAML content which can allow a remote attacker to modify SAML content without invalidating the cryptographic signature, leading to bypass of primary authentication.

Comment 1 Jason Shepherd 2018-03-01 09:38:05 UTC

Created opensaml tracking bugs for this issue:

Affects: fedora-all [bug 1550480]

Comment 2 Jason Shepherd 2018-03-01 09:51:05 UTC

The Upstream Advisory is here:
https://shibboleth.net/community/advisories/secadv_20180227.txt

Note You need to log in before you can comment on or make changes to this bug.

bmaxwell
bruno
cdewolf
chazlett
csutherl
darran.lofthouse
dimitris
dosoudil
fgavrilo
guido.grazioli
jawilson
jondruse
jshepherd
lgao
myarboro
pgier
pjurak
ppalaga
psakar
pslavice
psotirop
rnetuka
rstancel
rsvoboda
security-response-team
twalsh
vtunka
yozone