7.5
CVE-2009-3474
- EPSS 1.29%
- Published 29.09.2009 23:30:00
- Last modified 09.04.2025 00:30:58
- Source cve@mitre.org
- Teams watchlist Login
- Open Login
OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.
Data is provided by the National Vulnerability Database (NVD)
Internet2 ≫ Xmltooling Version1.0.1
Internet2 ≫ Xmltooling Version1.1.0
Internet2 ≫ Xmltooling Version1.1.1
Internet2 ≫ Xmltooling Version1.2.0
Internet2 ≫ Shibboleth-sp Version1.3.1
Internet2 ≫ Shibboleth-sp Version1.3.2
Internet2 ≫ Shibboleth-sp Version1.3b
Internet2 ≫ Shibboleth-sp Version1.3f
Internet2 ≫ Shibboleth-sp Version2.0
Internet2 ≫ Shibboleth-sp Version2.1
Internet2 ≫ Shibboleth-sp Version2.2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.29% | 0.778 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|