CVE-2015-1796

The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 38%
VendorProductVersion
shibbolethidentity_provider
𝑥
≤ 2.4.3
shibbolethopensaml_java
𝑥
≤ 2.6.4
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libopensaml2-java
wily
dne
vivid
ignored
utopic
ignored
trusty
dne
precise
dne
lucid
dne
Common Weakness Enumeration
References
http://rhn.redhat.com/errata/RHSA-2015-1176.html
http://rhn.redhat.com/errata/RHSA-2015-1177.html
http://www.securityfocus.com/bid/75370
https://shibboleth.net/community/advisories/secadv_20150225.txt
http://rhn.redhat.com/errata/RHSA-2015-1176.html
http://rhn.redhat.com/errata/RHSA-2015-1177.html
http://www.securityfocus.com/bid/75370
https://shibboleth.net/community/advisories/secadv_20150225.txt