CVE-2021-33054
N/A
N/A
Summary
SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://www.sogo.nu/news.html
- https://github.com/inverse-inc/sogo/blob/master/CHANGELOG.md
- https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html
- https://lists.debian.org/debian-lts-announce/2021/07/msg00007.html
- https://www.debian.org/security/2021/dsa-5029
References
- https://www.sogo.nu/news.html
- https://github.com/inverse-inc/sogo/blob/master/CHANGELOG.md
- https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html
- https://lists.debian.org/debian-lts-announce/2021/07/msg00007.html
- https://www.debian.org/security/2021/dsa-5029
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.