Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2021-33054

Опубликовано: 04 июн. 2021
Источник: debian

Описание

SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)

Пакеты

ПакетСтатусВерсия исправленияРелизТип
sogofixed5.1.1-1package

Примечания

  • https://www.sogo.nu/news/2021/saml-vulnerability.html

  • https://blogs.akamai.com/2021/06/saml-implementation-vulnerability-impacting-some-akamai-services.html

  • https://blogs.akamai.com/2021/06/akamai-eaa-impersonation-vulnerability---a-deep-dive.html

  • https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html

  • Introduced by: https://github.com/inverse-inc/sogo/commit/5487f34b9ee9b9639e3f1d4a7abf4fad2d240d66 (SOGo-2.0.5)

  • Fixed by: https://github.com/inverse-inc/sogo/commit/e53636564680ac0df11ec898304bc442908ba746 (SOGo-5.1.1)

  • CVE is assigned for the SOGo vulnerability regarding the lasso usage.

Связанные уязвимости

ubuntu логотип

CVE-2021-33054

CVSS3: 7.5
ubuntu
больше 4 лет назад

SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)

nvd логотип

CVE-2021-33054

CVSS3: 7.5
nvd
больше 4 лет назад

SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)

github логотип

GHSA-5x58-gqg4-wfvq

CVSS3: 7.5
github
больше 3 лет назад

SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)

fstec логотип

BDU:2021-04894

CVSS3: 7.5
fstec
больше 4 лет назад

Уязвимость метода аутентификации программного обеспечения для совместной работы SOGo, связанная с некорректным подтверждением криптографической подписи данных, позволяющая нарушителю оказать воздействие на целостность данных