GHSA-78fq-w796-q537

Suggest an improvement
Source
https://github.com/advisories/GHSA-78fq-w796-q537
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-78fq-w796-q537/GHSA-78fq-w796-q537.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-78fq-w796-q537
Aliases
  • CVE-2015-1796
Published
2022-05-17T03:38:17Z
Modified
2023-11-08T03:57:50.509364Z
Summary
Improper Certificate Validation in Shibboleth Identity Provider and OpenSAML
Details

The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.

References

Affected packages

Maven / org.opensaml:opensaml

Package

Name
org.opensaml:opensaml
View open source insights on deps.dev
Purl
pkg:maven/org.opensaml/opensaml

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.6.5

Affected versions

1.*

1.1

2.*

2.1.0
2.2.0
2.2.1
2.2.3
2.4.1
2.5.1
2.5.1-1
2.5.3
2.6.0
2.6.1
2.6.4

Database specific

{
    "last_known_affected_version_range": "<= 2.6.4"
}

Maven / edu.internet2.middleware:shibboleth-identityprovider

Package

Name
edu.internet2.middleware:shibboleth-identityprovider
View open source insights on deps.dev
Purl
pkg:maven/edu.internet2.middleware/shibboleth-identityprovider

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.4

Database specific

{
    "last_known_affected_version_range": "<= 2.4.3"
}