Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-2351

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2012-2351
Last Modified 16 Jul 2012 12:00:00
Published 12 Jul 2012 04:55:15
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2012-2351

Summary

The default configuration of the auth/saml plugin in Mahara before 1.4.2 sets the "Match username attribute to Remote username" option to false, which allows remote SAML IdP servers to spoof users of other SAML IdP servers by using the same internal username.

Vulnerable Systems

Application

  • Mahara 0.9.0

  • Mahara 0.9.1

  • Mahara 0.9.2

  • Mahara 1.0.0

  • Mahara 1.0.1

  • Mahara 1.0.10

  • Mahara 1.0.11

  • Mahara 1.0.12

  • Mahara 1.0.13

  • Mahara 1.0.14

  • Mahara 1.0.15

  • Mahara 1.0.2

  • Mahara 1.0.3

  • Mahara 1.0.4

  • Mahara 1.0.5

  • Mahara 1.0.6

  • Mahara 1.0.7

  • Mahara 1.0.8

  • Mahara 1.0.9

  • Mahara 1.1

  • Mahara 1.1.0

  • Mahara 1.1.1

  • Mahara 1.1.2

  • Mahara 1.1.3

  • Mahara 1.1.4

  • Mahara 1.1.5

  • Mahara 1.1.6

  • Mahara 1.1.7

  • Mahara 1.1.8

  • Mahara 1.1.9

  • Mahara 1.2.0

  • Mahara 1.2.1

  • Mahara 1.2.2

  • Mahara 1.2.3

  • Mahara 1.2.4

  • Mahara 1.2.5

  • Mahara 1.2.6

  • Mahara 1.3.0

  • Mahara 1.3.1

  • Mahara 1.3.2

  • Mahara 1.3.3

  • Mahara 1.3.4

  • Mahara 1.3.5

  • Mahara 1.3.6

  • Mahara 1.3.7

  • Mahara 1.3.8

  • Mahara 1.4

  • Mahara 1.4.0

  • Mahara 1.4.1


References

MLIST - [oss-security] 20120512 Re: CVE request: mahara

CONFIRM - http://gitorious.org/mahara/mahara/commit/f07be6020e70fa8f53cd77fdcd63e7fd7ff8aaea

CONFIRM - https://bugs.launchpad.net/mahara/+bug/932909

MLIST - [oss-security] 20120511 CVE request: mahara

DEBIAN - DSA-2467


Last Updated: 27 May 2016 10:54:52