Insecure SAML parser configuration High

Comment parsing for OpenSAML2 might allow attacks by anyone with access to the SAML system.

Detector ID
java/incorrect-authentication-exploitation@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1public void parserPoolNoncompliant(final BasicParserPool parser) {
2    // Noncompliant: not ignoring comments creates a SAML authentication bypass vulnerability.
3    parser.setIgnoreComments(false);
4}

Compliant example

1public void parserPoolCompliant(final BasicParserPool parser) {
2    // Compliant: ignoring comments prevents the SAML authentication bypass vulnerability.
3    parser.setIgnoreComments(true);
4}