ID CVE-2015-1796
Summary The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.
References
Vulnerable Configurations
  • Shibboleth Identity Provider 2.4.3
    cpe:2.3:a:shibboleth:identity_provider:2.4.3
  • Shibboleth OpenSAML-Java 2.6.4
    cpe:2.3:a:shibboleth:opensaml_java:2.6.4
CVSS
Base: 4.3 (as of 09-07-2015 - 11:22)
Impact:
Exploitability:
CWE CWE-254
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
redhat via4
advisories
  • rhsa
    id RHSA-2015:1176
  • rhsa
    id RHSA-2015:1177
refmap via4
bid 75370
confirm https://shibboleth.net/community/advisories/secadv_20150225.txt
Last major update 29-11-2016 - 21:59
Published 08-07-2015 - 11:59
Back to Top