Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03OGZxLXc3OTYtcTUzN84AAc6g
Improper Certificate Validation in Shibboleth Identity Provider and OpenSAML
The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.
Permalink: https://github.com/advisories/GHSA-78fq-w796-q537JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03OGZxLXc3OTYtcTUzN84AAc6g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-78fq-w796-q537, CVE-2015-1796
References:
- https://nvd.nist.gov/vuln/detail/CVE-2015-1796
- https://shibboleth.net/community/advisories/secadv_20150225.txt
- http://rhn.redhat.com/errata/RHSA-2015-1176.html
- http://rhn.redhat.com/errata/RHSA-2015-1177.html
- https://github.com/advisories/GHSA-78fq-w796-q537
Affected Packages
maven:edu.internet2.middleware:shibboleth-identityprovider
Affected Version Ranges: <= 2.4.3Fixed in: 2.4.4
maven:org.opensaml:opensaml
Dependent packages: 140Dependent repositories: 1,592
Downloads:
Affected Version Ranges: <= 2.6.4
Fixed in: 2.6.5
All affected versions: 2.5.3, 2.6.0, 2.6.1, 2.6.4
All unaffected versions: