Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2015-1796

Опубликовано: 25 фев. 2015
Источник: redhat
CVSS2: 6.3
EPSS Низкий

Описание

The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.

It was found that PKIX trust components allowed an X.509 credential to be trusted if no trusted names were available for the entityID. An attacker could use a certificate issued by a shibmd:KeyAuthority trust anchor to impersonate an entity within the scope of that keyAuthority.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat JBoss Data Grid 6opensaml-javaAffected
Red Hat JBoss Data Virtualization 6opensamlAffected
Red Hat JBoss Enterprise Application Platform 5opensamlAffected
Red Hat JBoss Enterprise Application Platform 6opensamlAffected
Red Hat JBoss Enterprise Web Server 1fuse-6Affected
Red Hat JBoss Enterprise Web Server 1fuse-esb-7Affected
Red Hat JBoss Fuse Service Works 6opensamlAffected
Red Hat JBoss Operations Network 3opensamlAffected
Red Hat JBoss Portal 5opensamlAffected
Red Hat JBoss Portal 6opensamlAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
https://bugzilla.redhat.com/show_bug.cgi?id=1196619Java: PKIX Trust Engines Exhibit Critical Flaw In Trusted Names Evaluation

EPSS

Процентиль: 38%
0.00166
Низкий

6.3 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2015-1796

ubuntu
больше 10 лет назад

The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.

nvd логотип

CVE-2015-1796

nvd
больше 10 лет назад

The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.

debian логотип

CVE-2015-1796

debian
больше 10 лет назад

The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 an ...

github логотип

GHSA-78fq-w796-q537

github
больше 3 лет назад

Improper Certificate Validation in Shibboleth Identity Provider and OpenSAML

EPSS

Процентиль: 38%
0.00166
Низкий

6.3 Medium

CVSS2