mailing list archives
CVE Request: openid4java not properly verifying the signature of Attribute Exchange (AX) information
From: David Jorm <djorm () redhat com>
Date: Wed, 16 Nov 2011 04:43:28 -0500 (EST)
It was found that openid4java was not checking that all Attribute Exchange (AX) information passed to it was signed.
This is a security concern if AX is being used to receive information that an application only trusts the identity
provider to assert.
Upstream advisory: http://openid.net/2011/05/05/attribute-exchange-security-alert/
Patch commit: http://code.google.com/p/openid4java/source/detail?r=661
Secunia advisory: http://secunia.com/advisories/44496/
David Jorm / Red Hat Security Response Team
- CVE Request: openid4java not properly verifying the signature of Attribute Exchange (AX) information David Jorm (Nov 16)