Open SAML: org.cryptacular:cryptacular vulnerabilities
My dependency check find some vulnerable dependencies:
https://snyk.io/vuln/maven:org.cryptacular%3Acryptacular
the version org.cryptacular:cryptacular 1.1.3 is used, there is a version 1.1.4 which fixes this issue.
You don’t directly depends on it:
mvn dependency:tree
FO] +- org.opensaml:opensaml-saml-impl:jar:3.4.5:compile
[INFO] | +- org.opensaml:opensaml-security-impl:jar:3.4.5:compile
[INFO] | +- org.opensaml:opensaml-xmlsec-impl:jar:3.4.5:compile
[INFO] | | +- org.apache.santuario:xmlsec:jar:2.0.10:compile
[INFO] | | | - com.fasterxml.woodstox:woodstox-core:jar:5.0.3:compile
[INFO] | | | - org.codehaus.woodstox:stax2-api:jar:3.1.4:compile
[INFO] | | - org.cryptacular:cryptacular:jar:1.1.3:compile
there is a new version 4.0.1 of opensaml, but I don’t know if it compile…
Best Regards
Robert
Comments (3)
-
-
- changed title to Open SAML: org.cryptacular:cryptacular vulnerabilities
-
- changed status to resolved
Fixed in 29929e55 with update to OpenSAML 3.4.6.
- Log in to comment
Thank you Robert for this report.
OpenSAML is an optional dependency and is only used for processing SAML assertion grants to output OAuth tokens.
If you’re using the SDK for OAuth 2.0 and OIDC only you’re not affected.