oss-sec mailing list archives
CVE Request: Apache Axis2 XML Signature Wrapping Attack
From: David Jorm <djorm () redhat com>
Date: Wed, 12 Sep 2012 02:06:32 -0400 (EDT)
Juraj Somorovsky and colleagues have described an XML Signature Wrapping (XSW) attack against a variety of platforms in a paper delivered at USENIX [0]. Various platforms are covered, including OpenSAML and Apache Axis2. OpenSAML is covered by CVE-2011-1411 [1], but I can't find a CVE ID for Axis2. Could one please be assigned? The OpenSAML CVE ID is 2011 because some vendors were given pre-notification of the issue in 2011. Since all the details were made public in 2012, I suggest assigning a 2012 CVE ID for Axis2. Thanks -- David Jorm / Red Hat Security Response Team [0] http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1411
Current thread:
- CVE Request: Apache Axis2 XML Signature Wrapping Attack David Jorm (Sep 11)
- Re: CVE Request: Apache Axis2 XML Signature Wrapping Attack Kurt Seifried (Sep 12)