[IdP] Used SAML Libraries

Forge Component
Published on 7 Jan by Telmo Martins
32 votes
Published on 7 Jan by Telmo Martins

Recently i received a mail with the following security alert:

Vulnerability Note VU#475445
Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal

Can someone from the team confirm that the IDP module does not use a SAML library that is affected by this vulnerability?

I got the same alert and have same question. Can anyone answer this?



This IdP component (on both stack, JAVA and .Net) is not affected by this vulnerability. The issue is regarding some XML parsers/APIs that do not "behave" as expected when we have xml comments inline on xml text values which is not the case.

To confirm had done some additional tests, and the "real" xml inner text value is correctly parsed and returned by the APIs used on the IdP component.



Hello Telmo,

Thank you for the quick response and good to read the IDP module is not affected.

Thank you!

Best regards,

Ben van der Linden