7.5
CVE-2009-3474
- EPSS 1.54%
- Veröffentlicht 29.09.2009 23:30:00
- Zuletzt bearbeitet 16.06.2026 23:11:40
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Internet2 ≫ Xmltooling Version1.0.1
Internet2 ≫ Xmltooling Version1.1.0
Internet2 ≫ Xmltooling Version1.1.1
Internet2 ≫ Xmltooling Version1.2.0
Internet2 ≫ Shibboleth-sp Version1.3.1
Internet2 ≫ Shibboleth-sp Version1.3.2
Internet2 ≫ Shibboleth-sp Version1.3b
Internet2 ≫ Shibboleth-sp Version1.3f
Internet2 ≫ Shibboleth-sp Version2.0
Internet2 ≫ Shibboleth-sp Version2.1
Internet2 ≫ Shibboleth-sp Version2.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.54% | 0.717 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
http://secunia.com/advisories/36855
http://secunia.com/advisories/36868
http://secunia.com/advisories/36876
http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt
http://www.debian.org/security/2009/dsa-1895
http://www.debian.org/security/2009/dsa-1896
http://www.securityfocus.com/bid/36516
https://bugs.internet2.edu/jira/browse/CPPOST-28
https://exchange.xforce.ibmcloud.com/vulnerabilities/53474