CVE-2012-2351

EUVD-2012-2344
The default configuration of the auth/saml plugin in Mahara before 1.4.2 sets the "Match username attribute to Remote username" option to false, which allows remote SAML IdP servers to spoof users of other SAML IdP servers by using the same internal username.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
Affected Products (NVD)
VendorProductVersion
debiandebian_linux
6.0
maharamahara
𝑥
≤ 1.4.1
maharamahara
0.9.0
maharamahara
0.9.1
maharamahara
0.9.2
maharamahara
1.0.0
maharamahara
1.0.1
maharamahara
1.0.2
maharamahara
1.0.3
maharamahara
1.0.4
maharamahara
1.0.5
maharamahara
1.0.6
maharamahara
1.0.7
maharamahara
1.0.8
maharamahara
1.0.9
maharamahara
1.0.10
maharamahara
1.0.11
maharamahara
1.0.12
maharamahara
1.0.13
maharamahara
1.0.14
maharamahara
1.0.15
maharamahara
1.1
maharamahara
1.1.0
maharamahara
1.1.0:alpha1
maharamahara
1.1.0:alpha2
maharamahara
1.1.0:alpha3
maharamahara
1.1.0:beta1
maharamahara
1.1.0:beta2
maharamahara
1.1.0:beta3
maharamahara
1.1.0:beta4
maharamahara
1.1.0:rc1
maharamahara
1.1.0:rc2
maharamahara
1.1.1
maharamahara
1.1.2
maharamahara
1.1.3
maharamahara
1.1.4
maharamahara
1.1.5
maharamahara
1.1.6
maharamahara
1.1.7
maharamahara
1.1.8
maharamahara
1.1.9
maharamahara
1.2.0
maharamahara
1.2.0:alpha1
maharamahara
1.2.0:alpha2
maharamahara
1.2.0:alpha3
maharamahara
1.2.0:beta1
maharamahara
1.2.0:beta2
maharamahara
1.2.0:beta3
maharamahara
1.2.0:beta4
maharamahara
1.2.0:rc1
maharamahara
1.2.1
maharamahara
1.2.2
maharamahara
1.2.3
maharamahara
1.2.4
maharamahara
1.2.5
maharamahara
1.2.6
maharamahara
1.3.0
maharamahara
1.3.0:beta1
maharamahara
1.3.0:beta2
maharamahara
1.3.0:beta3
maharamahara
1.3.0:beta4
maharamahara
1.3.0:rc1
maharamahara
1.3.1
maharamahara
1.3.2
maharamahara
1.3.3
maharamahara
1.3.4
maharamahara
1.3.5
maharamahara
1.3.6
maharamahara
1.3.7
maharamahara
1.3.8
maharamahara
1.4:rc1
maharamahara
1.4:rc2
maharamahara
1.4:rc3
maharamahara
1.4:rc4
maharamahara
1.4.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mahara
hardy
dne
lucid
ignored
natty
ignored
oneiric
ignored
precise
not-affected
quantal
not-affected
raring
not-affected
saucy
not-affected
Common Weakness Enumeration
References
http://gitorious.org/mahara/mahara/commit/f07be6020e70fa8f53cd77fdcd63e7fd7ff8aaea
http://www.debian.org/security/2012/dsa-2467
http://www.openwall.com/lists/oss-security/2012/05/11/9
http://www.openwall.com/lists/oss-security/2012/05/12/4
https://bugs.launchpad.net/mahara/+bug/932909
http://gitorious.org/mahara/mahara/commit/f07be6020e70fa8f53cd77fdcd63e7fd7ff8aaea
http://www.debian.org/security/2012/dsa-2467
http://www.openwall.com/lists/oss-security/2012/05/11/9
http://www.openwall.com/lists/oss-security/2012/05/12/4
https://bugs.launchpad.net/mahara/+bug/932909