Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-3474

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2009-3474
Last Modified 30 Sep 2009 01:25:41
Published 29 Sep 2009 07:30:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2009-3474

Summary

OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.

Vulnerable Systems

Application

  • Internet2 Opensaml 2.0

  • Internet2 Opensaml 2.1.0

  • Internet2 Opensaml 2.2.0

  • Internet2 Shibboleth-sp 1.3.1

  • Internet2 Shibboleth-sp 1.3.2

  • Internet2 Shibboleth-sp 1.3b

  • Internet2 Shibboleth-sp 1.3f

  • Internet2 Shibboleth-sp 2.0

  • Internet2 Shibboleth-sp 2.1

  • Internet2 Shibboleth-sp 2.2

  • Internet2 Xmltooling 1.0.1

  • Internet2 Xmltooling 1.1.0

  • Internet2 Xmltooling 1.1.1

  • Internet2 Xmltooling 1.2.0


References

BID - 36516

DEBIAN - DSA-1896

DEBIAN - DSA-1895

CONFIRM - http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt

CONFIRM - https://bugs.internet2.edu/jira/browse/CPPOST-28

XF - opensaml-keydescriptor-security-bypass(53474)

SECUNIA - 36876

SECUNIA - 36868

SECUNIA - 36855


Last Updated: 27 May 2016 10:51:16