CVE-2015-1796

EPSS 0.17%

Improper Certificate Validation in Shibboleth Identity Provider and OpenSAML

Published: 5/17/2022Modified: 12/7/2024

Description

The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.

Affected packages (2)

Maven/edu.internet2.middleware:shibboleth-identityproviderfrom 0, < 2.4.4
Maven/org.opensaml:opensamlfrom 0, < 2.6.5

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-1796
WEBhttp://rhn.redhat.com/errata/RHSA-2015-1176.html
WEBhttp://rhn.redhat.com/errata/RHSA-2015-1177.html
WEBhttps://shibboleth.net/community/advisories/secadv_20150225.txt