CVE-2009-3475
29.09.2009, 23:30
Internet2 Shibboleth Service Provider software 1.3.x before 1.3.3 and 2.x before 2.2.1, when using PKIX trust validation, does not properly handle a '\0' character in the subject or subjectAltName fields of a certificate, which allows remote man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.Enginsight
| Vendor | Product | Version |
|---|---|---|
| internet2 | shibboleth-sp | 1.3.1 |
| internet2 | shibboleth-sp | 1.3.2 |
| internet2 | shibboleth-sp | 1.3f:f |
| internet2 | shibboleth-sp | 2.0 |
| internet2 | shibboleth-sp | 2.1 |
| internet2 | shibboleth-sp | 2.2 |
𝑥
= Vulnerable software versions
Debian Releases
Debian Product | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| opensaml |
| ||||||||||||
| shibboleth-sp |
| ||||||||||||
| xmltooling |
|
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| opensaml |
| ||||||||||||||||||
| shibboleth-sp |
| ||||||||||||||||||
| xmltooling |
|
Common Weakness Enumeration
References