7.5

CVE-2009-3474

EPSS 1.29%
Veröffentlicht 29.09.2009 23:30:00
Zuletzt bearbeitet 09.04.2025 00:30:58
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 0 Referenzen 12

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Internet2 ≫ Opensaml Version2.0

Internet2 ≫ Opensaml Version2.1.0

Internet2 ≫ Opensaml Version2.2.0

Internet2 ≫ Xmltooling Version1.0.1

Internet2 ≫ Xmltooling Version1.1.0

Internet2 ≫ Xmltooling Version1.1.1

Internet2 ≫ Xmltooling Version1.2.0

Internet2 ≫ Shibboleth-sp Version1.3.1

Internet2 ≫ Shibboleth-sp Version1.3.2

Internet2 ≫ Shibboleth-sp Version1.3b

Internet2 ≫ Shibboleth-sp Version1.3f

Internet2 ≫ Shibboleth-sp Version2.0

Internet2 ≫ Shibboleth-sp Version2.1

Internet2 ≫ Shibboleth-sp Version2.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.29%	0.778

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

http://secunia.com/advisories/36855

Vendor Advisory

http://secunia.com/advisories/36868

Vendor Advisory

http://secunia.com/advisories/36876

Vendor Advisory

http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt

Patch

Vendor Advisory

http://www.debian.org/security/2009/dsa-1895

Patch

http://www.debian.org/security/2009/dsa-1896

Patch

http://www.securityfocus.com/bid/36516

Patch

https://bugs.internet2.edu/jira/browse/CPPOST-28

https://exchange.xforce.ibmcloud.com/vulnerabilities/53474

https://nvd.nist.gov/vuln/detail/CVE-2009-3474

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2009-3474

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2009-3474

EUVD