CVE-2009-3474

2009-09-2900:00:00

ubuntu.com

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.007 Low

EPSS

Percentile

80.1%

JSON

OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by
Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the
KeyDescriptor element’s Use attribute, which allows remote attackers to use
a certificate for both signing and encryption when it is designated for
just one purpose, potentially weakening the intended security application
of the certificate.

OSVersionArchitecturePackageVersionFilename
ubuntu8.10noarchopensaml< 1.1.1-2+lenny1build0.8.10.2UNKNOWN
ubuntu9.04noarchopensaml< 1.1.1-2+lenny1build0.9.04.2UNKNOWN
ubuntu9.04noarchshibboleth-sp< 1.3.1.dfsg1-3+lenny1build0.9.04.2UNKNOWN
ubuntu8.10noarchxmltooling< 1.0-2+lenny1build0.8.10.1UNKNOWN
ubuntu9.04noarchxmltooling< 1.0-2+lenny1build0.9.04.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	8.10	noarch	opensaml	< 1.1.1-2+lenny1build0.8.10.2	UNKNOWN
ubuntu	9.04	noarch	opensaml	< 1.1.1-2+lenny1build0.9.04.2	UNKNOWN
ubuntu	9.04	noarch	shibboleth-sp	< 1.3.1.dfsg1-3+lenny1build0.9.04.2	UNKNOWN
ubuntu	8.10	noarch	xmltooling	< 1.0-2+lenny1build0.8.10.1	UNKNOWN
ubuntu	9.04	noarch	xmltooling	< 1.0-2+lenny1build0.9.04.1	UNKNOWN