CVE-2009-3474
N/A
N/A
Summary
OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- http://www.securityfocus.com/bid/36516
- https://exchange.xforce.ibmcloud.com/vulnerabilities/53474
- http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt
- http://secunia.com/advisories/36876
- http://www.debian.org/security/2009/dsa-1896
- http://secunia.com/advisories/36868
- http://www.debian.org/security/2009/dsa-1895
- https://bugs.internet2.edu/jira/browse/CPPOST-28
- http://secunia.com/advisories/36855
References
- http://www.securityfocus.com/bid/36516
- https://exchange.xforce.ibmcloud.com/vulnerabilities/53474
- http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt
- http://secunia.com/advisories/36876
- http://www.debian.org/security/2009/dsa-1896
- http://secunia.com/advisories/36868
- http://www.debian.org/security/2009/dsa-1895
- https://bugs.internet2.edu/jira/browse/CPPOST-28
- http://secunia.com/advisories/36855
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.