ID CVE-2015-1796
Summary The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.
References
Vulnerable Configurations
  • cpe:2.3:a:shibboleth:identity_provider:2.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:shibboleth:identity_provider:2.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:shibboleth:opensaml_java:2.6.4:*:*:*:*:*:*:*
    cpe:2.3:a:shibboleth:opensaml_java:2.6.4:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 30-11-2016 - 02:59)
Impact:
Exploitability:
CWE CWE-254
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:P/A:N
redhat via4
advisories
  • rhsa
    id RHSA-2015:1176
  • rhsa
    id RHSA-2015:1177
refmap via4
bid 75370
confirm https://shibboleth.net/community/advisories/secadv_20150225.txt
Last major update 30-11-2016 - 02:59
Published 08-07-2015 - 15:59
Last modified 30-11-2016 - 02:59
Back to Top