CVE-2013-6440

Name of the Vulnerable Software and Affected Versions Shibboleth OpenSAML-Java versions prior to 2.6.1

Description The issue allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration. This is due to the expandEntityReferences property being set to true in certain components.

Recommendations For versions prior to 2.6.1, update to version 2.6.1 or later to resolve the issue. As a temporary workaround, consider setting the expandEntityReferences property to false in the affected components, including the BasicParserPool, StaticBasicParserPool, XML Decrypter, and SAML Decrypter.