6.5

CVE-2018-0489

EPSS 0.24%
Published 27.02.2018 15:29:00
Last modified 21.11.2024 03:38:20
Source security@debian.org
Teams watchlist Login
Open Login

Shibboleth XMLTooling-C before 1.6.4, as used in Shibboleth Service Provider before 2.6.1.4 on Windows and other products, mishandles digital signatures of user data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via crafted XML data. NOTE: this issue exists because of an incomplete fix for CVE-2018-0486.

Affected products Warnungen 0 Metrics 3 CWE 1 References 9

Data is provided by the National Vulnerability Database (NVD)

Shibboleth ≫ Xmltooling-c Version < 1.6.4

Debian ≫ Debian Linux Version7.0

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Arubanetworks ≫ Clearpass Version >= 6.6.0 <= 6.6.9

Arubanetworks ≫ Clearpass Version >= 6.7.0 < 6.7.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.24%	0.476

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	3.9	2.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvd@nist.gov	6.4	10	4.9	AV:N/AC:L/Au:N/C:P/I:P/A:N

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-003.txt

Third Party Advisory

http://www.securityfocus.com/bid/103172

Third Party Advisory

VDB Entry

http://www.securitytracker.com/id/1040435

Third Party Advisory

VDB Entry

https://lists.debian.org/debian-lts-announce/2018/02/msg00031.html

Issue Tracking

https://shibboleth.net/community/advisories/secadv_20180227.txt

Patch

Vendor Advisory

https://www.debian.org/security/2018/dsa-4126

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-0489

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-0489

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-0489

EUVD