Primary

Context

OpenSAML C++ Library Parameter Manipulation Vulnerability Allowing Forged Signed SAML Messages

Vulnerability

Patched

A vulnerability in the OpenSAML C++ library prior to version 3.3.1 allows for the forging of signed SAML messages through parameter manipulation. This issue arises when using SAML bindings that rely on non-XML signatures, and it can be exploited by manipulating parameters and reusing contents from older requests to bypass the library's signature verification.

Impact

Exploitation of this vulnerability allows for the forging of signed SAML messages, which can have critical security implications, especially when the Shibboleth Service Provider is involved.

Remediation

Users of the OpenSAML C++ library should upgrade to version 3.3.1 or later. For Shibboleth Service Provider users, version 3.5.0.1 or later is recommended. After updating, the 'shibd' daemon should be restarted to apply the changes. On Windows, the update must be applied through the Service Provider installer version 3.5.0.1 or later.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

1.2

impact

2.5

exploitability

5.1

remediation

8.3

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.2

impact

2.5

exploitability

5.1

remediation

8.3

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenSAML C++ Library Parameter Manipulation Vulnerability Allowing Forged Signed SAML Messages

Vulnerability

Impact

Remediation

Affected Products

OpenSAML

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating