Lucene search

[email protected]CVE-2015-1796

HistoryJul 08, 2015 - 3:59 p.m.

CVE-2015-1796

2015-07-0815:59:00

CWE-254

[email protected]

web.nvd.nist.gov

pkix

trust engines

vulnerability

shibboleth identity provider

opensaml java

cve-2015-1796

8.3 High

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

72.7%

JSON

The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.

CPENameOperatorVersion
shibboleth:identity_providershibboleth identity providerle2.4.3
shibboleth:opensaml_javashibboleth opensaml javale2.6.4

CPE	Name	Operator	Version
shibboleth:identity_provider	shibboleth identity provider	le	2.4.3
shibboleth:opensaml_java	shibboleth opensaml java	le	2.6.4

References

rhn.redhat.com/errata/RHSA-2015-1176.html

rhn.redhat.com/errata/RHSA-2015-1177.html

www.securityfocus.com/bid/75370

shibboleth.net/community/advisories/secadv_20150225.txt

Social References

8.3 High

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

72.7%

JSON

Related for CVE-2015-1796

osv1 prion1 ibm4 github1 ubuntucve1 pentestit1 redhat2