CVE-2016-10097

Name of the Vulnerable Software and Affected Versions OpenAM - Access Management version 10.1.0

Description The issue allows remote attackers to read arbitrary files via the SAMLRequest parameter in the /SSOPOST/metaAlias/%realm%/idpv2 endpoint. This is an XML External Entity (XXE) vulnerability.

Recommendations For OpenAM - Access Management version 10.1.0, as a temporary workaround, consider restricting access to the /SSOPOST/metaAlias/%realm%/idpv2 endpoint until a patch is available. Avoid using the SAMLRequest parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.