OIOSAML.NET version 1.7.3
Releasedate: 11. August 2011
The same vulnerability as found in oiosaml.java, and corrected in v8330 (http://digitaliser.dk/resource/1664828) is present in oiosaml.net v 1.7.2.
oiosaml.net restricts the amount of assertions to one in a SAMLResponse, so the practical attack against oiosaml.java is not reproducable against oiosaml.net, but the underlying issue with uri/id validation is still present.
This version corrects this issue, and it is recommended to upgrade to the latest version, to ensure that any unknown attacks that builds on this vulnerability are blocked.
- Validation of the reference uri in the signature element
Filer og referencer