7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
6.6 Medium
AI Score
Confidence
Low
0.007 Low
EPSS
Percentile
80.1%
OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element’s Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.
secunia.com/advisories/36855
secunia.com/advisories/36868
secunia.com/advisories/36876
shibboleth.internet2.edu/secadv/secadv_20090817a.txt
www.debian.org/security/2009/dsa-1895
www.debian.org/security/2009/dsa-1896
www.securityfocus.com/bid/36516
bugs.internet2.edu/jira/browse/CPPOST-28
exchange.xforce.ibmcloud.com/vulnerabilities/53474