Brent Putman

**Name of the Vulnerable Software and Affected Versions** Shibboleth Identity Provider versions prior to 2.4.4 OpenSAML Java (OpenSAML-J) versions prior to 2.6.5 **Description** The issue allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor when no trusted names are available for the entityID. This is due to the PKIX trust engines trusting candidate X.509 credentials in such scenarios. **Recommendations** For Shibboleth Identity Provider versions prior to 2.4.4, update to version 2.4.4 or later to resolve the issue. For OpenSAML Java (OpenSAML-J) versions prior to 2.6.5, update to version 2.6.5 or later to resolve the issue.