CVE-2015-1796 - The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) b

CVE-2015-1796

Summary

The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.

References

Vulnerable Configurations

cpe:2.3:a:shibboleth:identity_provider:2.4.3:*:*:*:*:*:*:*
cpe:2.3:a:shibboleth:identity_provider:2.4.3:*:*:*:*:*:*:*
cpe:2.3:a:shibboleth:opensaml_java:2.6.4:*:*:*:*:*:*:*
cpe:2.3:a:shibboleth:opensaml_java:2.6.4:*:*:*:*:*:*:*

CVSS

Base:	4.3 (as of 30-11-2016 - 02:59)
Impact:
Exploitability:

CWE

CWE-254

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:M/Au:N/C:N/I:P/A:N

redhat via4

advisories

rhsa
id RHSA-2015:1176
rhsa
id RHSA-2015:1177

refmap via4

bid	75370
confirm	https://shibboleth.net/community/advisories/secadv_20150225.txt

Last major update

30-11-2016 - 02:59

Published

08-07-2015 - 15:59

Last modified

30-11-2016 - 02:59