VU # 475445 - SAML Vulnerability

We are using opensaml 2.6.1 , xmltooling 1.4.1 and spring-security-saml2-core-1.0.0. java libraries.

Wanted to check if the recent vulnerability detected in SAML implemenation VU#475445 will be applicable for these libraries.

If so how we can resolve it.

Solution

If you are running with the defaults, then you are not affected. The key is the property ignoreComments on the ParserPool bean which by default is set to "true". You can read more on this thread: https://github.com/spring-projects/spring-security-saml/issues/228

How to set up AWS Client VPN with Keycloak as IdP
Configuring SAML2: Bypassing 'InResponseTo' Validation While Retaining Default Settings in OpenSaml4AuthenticationProvider
Microsoft Azure: How to get the Auth Token after SAML authentication on a enterprise application
SAML configuration broke after upgrade from 7.55.8 to 7.98.8
How am I supposed to handle an expiring SAML certificate as an SP?
Why is Keycloak resulting in "Cookie not found" error after IDP initiated login?
Configure Keycloak to Encrypt SAML Assertions with AES-128-GCM Instead of AES-128-CBC
Transforming LDAP group memberships to SAML Attributes in Keycloak
Assistance with Extending SAML AuthnRequest for AppSwitch Property
Response doesn't have any valid assertion which would pass subject validation
Validate signed assertion embedded in SAMLResponse
CORS issue using Angular application calling a .NET Core API using Sustainsys.Saml2 library and Azure Active Directory as Identity Provicer
Logging into SAML/Shibboleth authenticated server using python
SimpleSAML\Error\Exception: Could not find the metadata of an IdP with entity ID
Security concerns with providing SAML metadata on public URL
How to get a SAML token from ADFS sever to pull data from dynamics CRM on-premises (non-sdk) in c#?
How to add ForceAuthn flag on AWS cognito
Python Requests - SAML Login Redirect
How to get SAML token using C#/ASP.NET
Simple way to put AWS Lambda app behind SAML authentication
Why wouldn't the IdP initiate contact with the SP in a SAML 2.0 SSO integration?
How to solve the xmlsec Error: (100, 'lxml & xmlsec libxml2 library version mismatch')
Mendix and Azure Ad B2C AuthRequest does not have assertion consumer service URL
Authenticate requests session with login.microsoftonline.com
Python SSO: pysaml2 and python3-saml
How to create public and private key with OpenSSL?
How to change NameID in SimpleSAMLphp
Add SHA1 to signxml python
What causes a Responder status in a SAML response
How to validate a SAML token from ADFS 3.0 in an ASP.NET Core Web API