The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.
CPE | Name | Operator | Version |
---|---|---|---|
identity_provider | le | 2.4.3 | |
opensaml_java | le | 2.6.4 |