Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ybTd2LWdxZmctcDJ3Y84AATps
Improper Validation of Certificate with Host Mismatch in Shibboleth Identity Provider and OpenSAML Java
The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Permalink: https://github.com/advisories/GHSA-rm7v-gqfg-p2wcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ybTd2LWdxZmctcDJ3Y84AATps
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 5.9
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-rm7v-gqfg-p2wc, CVE-2014-3603
References:
- https://nvd.nist.gov/vuln/detail/CVE-2014-3603
- https://bugzilla.redhat.com/show_bug.cgi?id=1131823
- http://shibboleth.net/community/advisories/secadv_20140813.txt
- https://github.com/advisories/GHSA-rm7v-gqfg-p2wc
Affected Packages
maven:org.opensaml:opensaml
Dependent packages: 140Dependent repositories: 1,592
Downloads:
Affected Version Ranges: < 2.6.2
Fixed in: 2.6.2
All affected versions: 2.5.3, 2.6.0, 2.6.1
All unaffected versions: 2.6.4
maven:edu.internet2.middleware:shibboleth-identityprovider
Affected Version Ranges: < 2.4.1Fixed in: 2.4.1