GHSA-78fq-w796-q537

Source

https://github.com/advisories/GHSA-78fq-w796-q537

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-78fq-w796-q537/GHSA-78fq-w796-q537.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-78fq-w796-q537

Aliases

CVE-2015-1796

Published

2022-05-17T03:38:17Z

Modified

2024-12-07T05:40:09.690327Z

Summary

Improper Certificate Validation in Shibboleth Identity Provider and OpenSAML

Details

The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.

Database specific

{
    "nvd_published_at": "2015-07-08T15:59:00Z",
    "cwe_ids": [
        "CWE-295"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T20:25:31Z"
}

References

Affected packages

Maven / org.opensaml:opensaml

Package

Name: org.opensaml:opensaml; View open source insights on deps.dev
Purl: pkg:maven/org.opensaml/opensaml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.6.5

Affected versions

1.*

1.1

2.*

2.1.0

2.2.0

2.2.1

2.2.3

2.4.1

2.5.1

2.5.1-1

2.5.3

2.6.0

2.6.1

2.6.4

Database specific

{
    "last_known_affected_version_range": "<= 2.6.4"
}

Maven / edu.internet2.middleware:shibboleth-identityprovider

Package

Name: edu.internet2.middleware:shibboleth-identityprovider; View open source insights on deps.dev
Purl: pkg:maven/edu.internet2.middleware/shibboleth-identityprovider

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.4

Database specific

{
    "last_known_affected_version_range": "<= 2.4.3"
}