- changed status to resolved
SAML2AssertionValidator: Disable access to external entities in XML parsing
Comments (10)
-
reporter -
Hi Yavor, will be this fix backported to 8.x? Again the issue is the same - spring-security is using 8.x
-
@Yavor Vasilev +1 to @Vladimir Kryukov 's question. Can this be backported to 8.x ?
-
reporter Could you confirm that Spring Security is using the “SAML assertion for OAuth access token” grant?
This is a fairly exotic OAuth spec and I haven’t seen a production use of it in my practice.
-
@Yavor Vasilev there are a few problems related to this question:
- It requires quite a time to figure out is spring-security vulnerable or not
- Even if spring-security not providing such feature - it might in the future without additional notice
- Overall the vulnerable dependency in the code base is a bad sign
Not sure how much effort required to bump 8.x with this fix &
#357but I think a lot of people will be grateful to have no critical vulnerabilities in their code base.
-
reporter This makes sense. Will try to do the bumps tonight.
-
Hi @Yavor Vasilev ,
Thank you, hope you’ll find a time to do that. Could you please reopen this issue to make it visible until it will be fixed also?
Br.
Vladimir -
reporter The backports were done this morning, there will be probably one more to release.
-
@Vladimir Kryukov Just to mention, we are looking for extra maintainers and contributors to this project, even for small tasks and mini projects. If you have a particular interest or topic that you work on let us know.
For some time I’ve also been contemplating about offering an updates and support subscription by Connect2id with proceeds flowing to maintainers, provided it’s easy to manage and administer. Our paid business comes from selling licenses for the Connect2id server which works goes towards the tip of the SDK, and in that regard backports and maintenance of older branches comes as extra cost.
-
reporter Backport in
version 8.36.2 (2021-04-15)
- Log in to comment
Fix: bfd95d5e