Open SAML: org.cryptacular:cryptacular vulnerabilities

Issue #309 resolved
Robert Kupferschmied created an issue

My dependency check find some vulnerable dependencies:

https://snyk.io/vuln/maven:org.cryptacular%3Acryptacular

the version org.cryptacular:cryptacular 1.1.3 is used, there is a version 1.1.4 which fixes this issue.

You don’t directly depends on it:

mvn dependency:tree

FO] +- org.opensaml:opensaml-saml-impl:jar:3.4.5:compile
[INFO] | +- org.opensaml:opensaml-security-impl:jar:3.4.5:compile
[INFO] | +- org.opensaml:opensaml-xmlsec-impl:jar:3.4.5:compile
[INFO] | | +- org.apache.santuario:xmlsec:jar:2.0.10:compile
[INFO] | | | - com.fasterxml.woodstox:woodstox-core:jar:5.0.3:compile
[INFO] | | | - org.codehaus.woodstox:stax2-api:jar:3.1.4:compile
[INFO] | | - org.cryptacular:cryptacular:jar:1.1.3:compile

there is a new version 4.0.1 of opensaml, but I don’t know if it compile…

Best Regards

Robert

Comments (3)

  1. Yavor Vasilev

    Thank you Robert for this report.

    OpenSAML is an optional dependency and is only used for processing SAML assertion grants to output OAuth tokens.

    If you’re using the SDK for OAuth 2.0 and OIDC only you’re not affected.

  2. Log in to comment