PT-2009-5767 · Internet2 · Xmltooling+2

Chris Ries

Publicado

2009-09-29

Atualizado

2017-08-17

CVE-2009-3474

CVSS v2.0

7.5

Alta

Vetor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions OpenSAML versions 2.0 through 2.2.0 XMLTooling versions 1.0 through 1.2.0 Internet2 Shibboleth Service Provider versions 2.0 through 2.2.0

Description The issue allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate. This is due to not following the KeyDescriptor element's Use attribute.

Recommendations For OpenSAML versions 2.0 through 2.2.0, update to version 2.2.1 or later. For XMLTooling versions 1.0 through 1.2.0, update to version 1.2.1 or later. For Internet2 Shibboleth Service Provider versions 2.0 through 2.2.0, update to version 2.2.1 or later.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-310

Identificadores relacionados

CVE-2009-3474

DSA-1895-1

DSA-1895-2

DSA-1896-1

Produtos afetados

Opensaml

Shibboleth Service Provider

Xmltooling

PT-2009-5767 · Internet2 · Xmltooling+2

CVE-2009-3474

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 13