PT-2009-5767 · Internet2 · Xmltooling+2

Chris Ries

Published

2009-09-29

Updated

2017-08-17

CVE-2009-3474

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions OpenSAML versions 2.0 through 2.2.0 XMLTooling versions 1.0 through 1.2.0 Internet2 Shibboleth Service Provider versions 2.0 through 2.2.0

Description The issue allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate. This is due to not following the KeyDescriptor element's Use attribute.

Recommendations For OpenSAML versions 2.0 through 2.2.0, update to version 2.2.1 or later. For XMLTooling versions 1.0 through 1.2.0, update to version 1.2.1 or later. For Internet2 Shibboleth Service Provider versions 2.0 through 2.2.0, update to version 2.2.1 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-310

Related Identifiers

CVE-2009-3474

DSA-1895-1

DSA-1895-2

DSA-1896-1

Affected Products

Opensaml

Shibboleth Service Provider

Xmltooling

PT-2009-5767 · Internet2 · Xmltooling+2

CVE-2009-3474

Weakness Enumeration

Related Identifiers

Affected Products

References · 13