CVE-2009-3474

critical

Description

OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/53474

https://bugs.internet2.edu/jira/browse/CPPOST-28

http://www.securityfocus.com/bid/36516

http://www.debian.org/security/2009/dsa-1896

http://www.debian.org/security/2009/dsa-1895

http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt

http://secunia.com/advisories/36876

http://secunia.com/advisories/36868

http://secunia.com/advisories/36855

Details

Source: Mitre, NVD

Published: 2009-09-29

Updated: 2017-08-17

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity: Critical