PT-2015-6876 · Adnovum · Nevisauth
Antoine Neuenschwander
+1
·
Published
2015-09-28
·
Updated
2018-10-09
·
CVE-2015-5372
CVSS v2.0
5.0
Medium
| Vector | AV:N/AC:L/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
AdNovum nevisAuth versions 4.13.0.0 through 4.18.3.0
Description
The issue concerns the SAML 2.0 implementation when using SAML POST-Binding. It does not properly match all attributes of the X.509 certificate embedded in the assertion against the certificate from the identity provider (IdP). This allows remote attackers to inject arbitrary SAML assertions via a crafted certificate.
Recommendations
For AdNovum nevisAuth versions 4.13.0.0 through 4.18.3.0, update to version 4.18.3.1 or later to resolve the issue.
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nevisauth