CVE-2021-27736

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-27736

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-27736.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-27736

Published

2021-04-22T14:15:09.123Z

Modified

2025-11-14T11:34:05.526454Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.

References

Affected packages

Git / github.com/fusionauth/fusionauth-samlv2

Affected ranges

Type: GIT
Repo: https://github.com/fusionauth/fusionauth-samlv2
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c66fb689d50010662f705d5b585c6388ce555dbd

Affected versions

0.*

0.1.0

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.4.0

0.5.0

0.5.1

0.5.2

0.5.3

Database specific

vanir_signatures

[
    {
        "target": {
            "file": "src/test/java/io/fusionauth/samlv2/service/DefaultSAMLv2ServiceTest.java"
        },
        "id": "CVE-2021-27736-2ea4c903",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "47257368456353364127501162425728752924",
                "75393850792711505203050661168056739128",
                "143653802475720954955300227918189879721",
                "265320363875717611260094247488570137018",
                "242890838578186116465366032966870447659",
                "130465937462380966934952924282677625482",
                "16906714596620935361665709571495572463",
                "178843386244990972254168242741491374430",
                "334790149856142018315325327034620769748",
                "185383214183825453957990449021947880144",
                "229317026916857511536123136843868068709",
                "87833274788732213409506846587720326196",
                "194773129079664734507206391047092277019",
                "261393543077164468757993186483019860211",
                "140373776667276607602170089325748702009",
                "28514572559055876785527012946442472485",
                "117344638895422024451177277598598700286",
                "54609559748776098147593137713303561809"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "source": "https://github.com/fusionauth/fusionauth-samlv2/commit/c66fb689d50010662f705d5b585c6388ce555dbd",
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "src/main/java/io/fusionauth/samlv2/service/DefaultSAMLv2Service.java"
        },
        "id": "CVE-2021-27736-3a9c056f",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "172341532262968072923560313020204766541",
                "59489718069508089279818069710478350487",
                "156507028266127576140002272997747604894",
                "216943832560269935133534368472396861028",
                "155569567338034585836706435332787143214",
                "57371156001556190025208351159555381102",
                "272807638399239535799163278267793945315",
                "98305312031449110925292306114093342923",
                "232580502528354932879450616125843648464",
                "294521331926320157768482037659497476591",
                "76795542204996988918391319063642601204",
                "24152980437732272695903203049707190398",
                "196001684076633430830787899922531501015",
                "236877992937782316961838604729562820194",
                "311665834602185064632339016535704954917",
                "149240408055828262462998422513796397766",
                "11734061781761085324916734630802195371",
                "83634968562715156261145627393985784455",
                "246941629358202854705053859796361864842",
                "225827246901691183514564474438862812246",
                "260354866218447824754292462297704390103",
                "330710717620576198148284564577972437368",
                "28077131040039194718006035225083278979",
                "272376718515716579663115184034421858483",
                "66866352995168356251442186383335882961",
                "251491952293322756669019482556070163473",
                "176194487062678868695745970904995542465",
                "270126490521523283917703685460832904519",
                "101908023293857837313042594704284047138",
                "244003181979761299423701058100771669818",
                "162673479342424250625454546731442528910",
                "158869510348158938389653234743446739595",
                "279524376402214033962530007568462207234",
                "77039276257793950830006074984635415274",
                "303134717352167234929165489533690477818",
                "140787595386589850123041633932910003996",
                "40745543036765079427495993322652255133",
                "149464165977463077497653431684683722190",
                "300027864747322057991919015588510960549",
                "279641785573350259508368977937870125923",
                "121368746094461723094272424243136942266",
                "231333345710794595525571312736513637350",
                "161730793486616015650497652729956734079",
                "68757352923727222599038537145210354889",
                "75541387871771953244579017512194333026",
                "53388200151732944235015270825840979823",
                "337977581478251151507781921484930075781",
                "201772403434911385344196792417017147701",
                "197896882022032836573877147404760870508",
                "99624625979691396216239741849894033180",
                "79464714397046574213275179287145501142",
                "99184849583789381523755864723972667125",
                "132346600673395659374250217904053119382",
                "196154232297274441885815351501421704925",
                "106734415733718825252843267113733886403",
                "270138797393338713191177285500884245557",
                "26742084665240349184300063372613946929",
                "26207833692740496903503305106130264273",
                "182231551127896151255921223511051025673",
                "244905224398769291789823032534328247572",
                "262550036111592377999101303275803782958",
                "291393503896409959509388349263788269241",
                "77369521380313103100131297058534956359",
                "257073621099522671718470456048189411471",
                "337706578764994077229518017781589999150",
                "240528517217753673874812840234488714782",
                "77048490336362512655235607671327147578",
                "78361706151427602766964138388316572344",
                "14340238698867535406153471669146141965",
                "246540502033210984634034605723237550742",
                "139802733179346808627458660441511988106",
                "235959869454135655661892821648433573734",
                "117884637918067750922932100665712799815",
                "203959213715004183185386608611197738307",
                "92342242459162158226923041553628524770",
                "60270344108368481414499134194897598774",
                "108458231802722587334015851698775807326",
                "327278926669829403815751879890233960666",
                "177094154849478479888600301020804748014",
                "123047602152577839096379889933736846960",
                "25784458703513666122920176270290104173",
                "303215161671998654811792832811962971199",
                "220727522864260237892724216159443021092",
                "88859637898939103565799295159518156463",
                "51432661372235286908811463532284350932",
                "146997425325855326717487782496919818682",
                "57367188189712596966220860427679017240",
                "107758171670012004798832017468524514981",
                "302919389385251089412043171101902587464",
                "61873385980234626322928141350947940570",
                "193784382529887650468546602662295321282",
                "163904513414958086367759479677485099266",
                "190109342941700312183369618675822547801",
                "14333984457366637853218105691346719833",
                "108083765902582262315060756542995899552",
                "229476879249965232762577507485466020215",
                "299374362915383015562331045311665398675",
                "82924519361630035573483812436731357150",
                "128320367646230067408149560517138587971",
                "58933999365159651390291073095249516579",
                "18130150413894418924234251366137448942",
                "218182438146491133860544293475202017763",
                "320433382438029796890319943784601847641",
                "52747872367706218438610971107959368541",
                "269429570599445074842663006560334541865",
                "190760103024064845090958485214895203813",
                "88099955328117571127098418862992818317",
                "30737886418096308119395458922458891693",
                "31657649220626686184123187996300035939",
                "208794626236668544515155576498654451208",
                "289641230586903802455881284044096091258",
                "224144618452077249876188335787967029672",
                "244497692622936566146707118000128227274",
                "76797362981656668590069515318309996582",
                "178604110025082117976552347426535703631",
                "280501111711711190809532176159980257394",
                "279370479891889328038808590511474721506",
                "217326981639268095379475781564098561550",
                "275736321062382471540783412557425501952",
                "226810175125871987955015277620091838083",
                "39798085302844678774622135390306199556",
                "148008713353538343487613247531867592689",
                "310959448230508494141829731425393160761",
                "56146395360936643809575959067766407887",
                "10437413867579518264640676189312313644",
                "54650685335883596806618588882369212862",
                "24148698938379960650887430839371382267",
                "89386178478888467397751219788970270435",
                "72512057480595182179441593416677463969",
                "16893541292571802222239425314765361573",
                "150405598088280426853501525422418730090",
                "224447691673091395349148749922542977686",
                "49267890145335094335026009080936178964",
                "181523979234174571645679174348206256160",
                "278768909353678275304635601348205790130",
                "173514824579783657079592122142825532878",
                "128952910967333719395823269309683077227",
                "277376538429818826916564743173833418373",
                "338529843994443159677922877215487285498",
                "63734176271201387725411793330985354663",
                "287438917870322483411513813743154078699",
                "240280344638814183067801236015733209727",
                "48165061747862969878003739790732873195",
                "126283228788314828928797511914663643868",
                "214087234206409765925356050149145266837",
                "12612613177926416576673680178629821600",
                "205432067325485639150441115920436262419",
                "39379229827602866767912141359301598604",
                "8384915061427281155968777162440415684",
                "82757276734148290829459806367789010109",
                "199172086069315438240795229218511939270",
                "261553652419501320281714365629514136099",
                "168252831340129835908972182357367998473",
                "40371060827413815515109309474974289019",
                "279280777695555012848844097510606171578",
                "163348271764722565746131544486181074334",
                "338750854359376727166576962721301317283",
                "257344073324998438287455183102228451731",
                "317096070607141957822484904674152162501",
                "37039018850891655779544904772208746241",
                "58093451203784054982193484756965229120",
                "209805702802749696920645283831127805890",
                "23642567813307299436547112074277471878",
                "194743108462064504686032903483900816656",
                "22632115947812438560710738325440276550",
                "184805546980557020841449530072892014806",
                "240135102284402523461876427430072625712",
                "62537365663628030900489503990753978231",
                "84756707372867252282865493848018312276",
                "131462635178019511336133054608353700745",
                "5125491635101526611946960053607540611",
                "68485997261137285795346108344227995931",
                "169879800844445449735872657263163654961",
                "171668235878207587968894320094049981126",
                "236914034628812307861497336520526722010",
                "123666347737422786214570055899870086214",
                "172576630038921664001281693912892869225",
                "280496045254390730141294616734576359631",
                "228886192845509201863236984246023321009",
                "125939917019352258349681320272047516179",
                "144469837779420827408715427954603595843",
                "196684513487787727093199695954749493441",
                "157362365648123087957752101737036138212",
                "259508128538889539416630817743644378559",
                "157531642052259564645573143469392341394",
                "301991530213189949379326099792984953482",
                "164213211210438418032526994705599490888",
                "82737391436371047329042865659845422085",
                "325664957275026775842790066074672322715",
                "132955303442327314545802727586608930377",
                "132410645017474469865977208068886835423",
                "288556052121553645295523512723246978792",
                "90371523619413848267042237036638882829",
                "229497792797474508865135853583073323309",
                "107408875491117548487427235880440188253",
                "108587633537507210242609878158511307392",
                "108587633537507210242609878158511307392",
                "195943819114117558545208026242705711389",
                "123916631519060077689152720716643688777",
                "14410247180728142852260145797031888426",
                "54616668303386830255374453104922573101",
                "109674700037963075089935622318097159420",
                "54618124623200779185071560954624355739",
                "102287695752539137134284785075649161743",
                "44545169183703582381135889180567960860",
                "228712625178572876841262827311535832566",
                "298960261319298408637337312686552092474",
                "281338337993847959208351159792295511968",
                "194424374051708913178781203711957486567",
                "191901929654615816471955782055711288126",
                "335638469037923268436399651299499236313",
                "164134392314307843276085745888803697238",
                "71018927638742345554668552334224964186",
                "221752085241672856716497211427061918677",
                "134085889215376211933710433491062531347",
                "15131007848679799500801905636282638529",
                "120276716156122152688587500087471075333",
                "4088622586304547291427207012999447420",
                "232549320622700235268265889168638344927",
                "109419284154126872864969314326637365331",
                "105285139281645887008556690859897877340",
                "123067932666420859216357415852427334694",
                "276859723421394486567579154014324460627",
                "137758950269425580225877999159798052664",
                "17591707645591364613467502030843062312",
                "11125407474508304757582129805468507032",
                "132509213318605324905164783838433666963"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "source": "https://github.com/fusionauth/fusionauth-samlv2/commit/c66fb689d50010662f705d5b585c6388ce555dbd",
        "signature_version": "v1"
    },
    {
        "target": {
            "function": "parseFromBytes",
            "file": "src/main/java/io/fusionauth/samlv2/service/DefaultSAMLv2Service.java"
        },
        "id": "CVE-2021-27736-5eaa5964",
        "deprecated": false,
        "digest": {
            "length": 358.0,
            "function_hash": "9061475383202515576887666516634956556"
        },
        "signature_type": "Function",
        "source": "https://github.com/fusionauth/fusionauth-samlv2/commit/c66fb689d50010662f705d5b585c6388ce555dbd",
        "signature_version": "v1"
    },
    {
        "target": {
            "function": "buildRedirectAuthnRequest",
            "file": "src/main/java/io/fusionauth/samlv2/service/DefaultSAMLv2Service.java"
        },
        "id": "CVE-2021-27736-84dadbc5",
        "deprecated": false,
        "digest": {
            "length": 871.0,
            "function_hash": "22337387070887595372430435761719535054"
        },
        "signature_type": "Function",
        "source": "https://github.com/fusionauth/fusionauth-samlv2/commit/c66fb689d50010662f705d5b585c6388ce555dbd",
        "signature_version": "v1"
    },
    {
        "target": {
            "function": "marshallToDocument",
            "file": "src/main/java/io/fusionauth/samlv2/service/DefaultSAMLv2Service.java"
        },
        "id": "CVE-2021-27736-85f75297",
        "deprecated": false,
        "digest": {
            "length": 462.0,
            "function_hash": "75937573345393006483429718080183619037"
        },
        "signature_type": "Function",
        "source": "https://github.com/fusionauth/fusionauth-samlv2/commit/c66fb689d50010662f705d5b585c6388ce555dbd",
        "signature_version": "v1"
    },
    {
        "target": {
            "function": "parseMetaData",
            "file": "src/main/java/io/fusionauth/samlv2/service/DefaultSAMLv2Service.java"
        },
        "id": "CVE-2021-27736-8847b28d",
        "deprecated": false,
        "digest": {
            "length": 2147.0,
            "function_hash": "227803964217237316672970887954594977433"
        },
        "signature_type": "Function",
        "source": "https://github.com/fusionauth/fusionauth-samlv2/commit/c66fb689d50010662f705d5b585c6388ce555dbd",
        "signature_version": "v1"
    },
    {
        "target": {
            "function": "parseResponse",
            "file": "src/main/java/io/fusionauth/samlv2/service/DefaultSAMLv2Service.java"
        },
        "id": "CVE-2021-27736-b842e4e3",
        "deprecated": false,
        "digest": {
            "length": 2925.0,
            "function_hash": "41296254504524936955834757396811014160"
        },
        "signature_type": "Function",
        "source": "https://github.com/fusionauth/fusionauth-samlv2/commit/c66fb689d50010662f705d5b585c6388ce555dbd",
        "signature_version": "v1"
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-27736.json"