org.opensaml:xmltooling@1.3.4 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.opensaml:xmltooling package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
XML External Entity (XXE) Injection

org.opensaml:xmltooling low-level library that may be used to construct libraries that allow developers to work with XML in a Java beans manner.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.

How to fix XML External Entity (XXE) Injection?

Upgrade org.opensaml:xmltooling to version 1.4.4 or higher.

[,1.4.4)