CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 1CVE-2014-3603
https://notcve.org/view.php?id=CVE-2014-3603
The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Las implementaciones de (1) HttpResource y (2) FileBackedHttpResource en el Proveedor de Identidad (IdP) de Shibboleth, en versiones anteriores a la 2.4.1, y en OpenSAML Java, en su versión 2.6.2, no verifican que el nombre de host del servidor se corresponda con un nombre de dominio en el campo "Common Name" (CN) del asunto o en el campo "subjectAltName" del certificado X.509. Esto permite a los atacantes Man-in-the-Middle (MitM) suplantar los servidores SSL a través de un certificado arbitrario válido. • http://secunia.com/advisories/60816 http://shibboleth.net/community/advisories/secadv_20140813.txt https://bugzilla.redhat.com/show_bug.cgi?id=1131823 • CWE-297: Improper Validation of Certificate with Host Mismatch •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2015-1796 – Java: PKIX Trust Engines Exhibit Critical Flaw In Trusted Names Evaluation
https://notcve.org/view.php?id=CVE-2015-1796
The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor. Los motores de confianza PKIX en Shibboleth Identity Provider anterior a 2.4.4 y OpenSAML Java (OpenSAML-J) anterior a 2.6.5 confían en los certificados X.509 de candidatos cuando nombres no confiables están disponibles para el identificador de entidad, lo que permite a atacantes remotos suplantar una entidad a través de un certificado emitido por una ancla de confianza shibmd:KeyAuthority. It was found that PKIX trust components allowed an X.509 credential to be trusted if no trusted names were available for the entityID. An attacker could use a certificate issued by a shibmd:KeyAuthority trust anchor to impersonate an entity within the scope of that keyAuthority. • http://rhn.redhat.com/errata/RHSA-2015-1176.html http://rhn.redhat.com/errata/RHSA-2015-1177.html http://www.securityfocus.com/bid/75370 https://shibboleth.net/community/advisories/secadv_20150225.txt https://access.redhat.com/security/cve/CVE-2015-1796 https://bugzilla.redhat.com/show_bug.cgi?id=1196619 • CWE-254: 7PK - Security Features •
CVSS: 2.6EPSS: 0%CPEs: 16EXPL: 0CVE-2009-3300
https://notcve.org/view.php?id=CVE-2009-3300
Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2 Middleware Initiative Shibboleth allow remote attackers to inject arbitrary web script or HTML via URLs that are encountered in redirections, and appear in automatically generated forms. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Identity Provider (IdP) v1.3.x anteriores a v1.3.4 y v2.x anteriores a v2.1.5, y el Service Provider v1.3.x anteriores a v1.3.5 y v2.x anteriores a v2.3, en Internet2 Middleware Initiative Shibboleth permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante URLs que se encuentran en redirecciones, y aparecen en formularios generados automáticamente. • http://secunia.com/advisories/37237 http://shibboleth.internet2.edu/secadv/secadv_20091104.txt http://www.debian.org/security/2009/dsa-1947 http://www.vupen.com/english/advisories/2009/3150 https://exchange.xforce.ibmcloud.com/vulnerabilities/54140 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •