Improper Verification of Cryptographic Signature Affecting cpp-opensaml package, versions [,3.3.1)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-UNMANAGED-CPPOPENSAML-9460817
- published18 Mar 2025
- disclosed18 Mar 2025
- creditAlexander Tan
Introduced: 18 Mar 2025
New CVE NOT AVAILABLE CWE-347 (opens in a new tab)How to fix?
Upgrade cpp-opensaml to version 3.3.1 or higher.
Overview
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature. An attacker could bypass the library's signature verification of non-XML based signed messages by creatively manipulating parameters and reusing contents of older requests.
Notes:
This vulnerability affects the Shibboleth Service Provider due to its support for the HTTP-POST-SimpleSign SAML binding for Single Sign-On responses is its critical vulnerability, and it is enabled by default (regardless of what one's published SAML metadata may advertise).
On non-Windows platforms the upgrade to the fix version is sufficient to address the issue with a subsequent restart of the Service Provider's "shibd" daemon to pick up the change.
On Windows, the Service Provider V3.5.0.1 (or later) installer contains the updated OpenSAML DLL and must be applied to obtain the fix.
Workaround
This can be mitigated by removing the "SimpleSigning" security policy rule from the security-policy.xml file entirely.