[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2009-3474Date: (C)2009-09-29   (M)2023-12-22


OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 7.5
Exploit Score: 10.0
Impact Score: 6.4
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality: PARTIAL
Integrity: PARTIAL
Availability: PARTIAL
  
Reference:
BID-36516
SECUNIA-36855
SECUNIA-36868
SECUNIA-36876
DSA-1895
DSA-1896
http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt
https://bugs.internet2.edu/jira/browse/CPPOST-28
opensaml-keydescriptor-security-bypass(53474)

CWE    1
CWE-310
OVAL    5
oval:org.mitre.oval:def:7994
oval:org.mitre.oval:def:8365
oval:org.secpod.oval:def:600255
oval:org.secpod.oval:def:600495
...

© SecPod Technologies