Meiko Jensen

**Name of the Vulnerable Software and Affected Versions** Shibboleth OpenSAML library versions 2.4.x through 2.4.2 Shibboleth OpenSAML library versions 2.5.x through 2.5.0 Shibboleth IdP versions prior to 2.3.2 **Description** The issue allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack." **Recommendations** For Shibboleth OpenSAML library versions 2.4.x through 2.4.2, update to version 2.4.3 or later. For Shibboleth OpenSAML library versions 2.5.x through 2.5.0, update to version 2.5.1 or later. For Shibboleth IdP versions prior to 2.3.2, update to version 2.3.2 or later.

**Name of the Vulnerable Software and Affected Versions** Apache Rampart/C version 1.3.0 **Description** The issue is related to the improper calculation of the expiration of timestamp tokens by the `rampart timestamp token validate` function. This allows remote attackers to bypass intended access restrictions by using an expired token. **Recommendations** For Apache Rampart/C version 1.3.0, consider disabling the `rampart timestamp token validate` function until a patch is available to properly calculate the expiration of timestamp tokens.