Back to search
CVE-2009-3474
Published: Sep 29, 2009
Modified: Aug 7, 2024
PUBLISHED
Description
OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
36516
vdb-entry
x_refsource_BID
opensaml-keydescriptor-security-bypass(53474)
vdb-entry
x_refsource_XF
http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt
x_refsource_CONFIRM
36876
third-party-advisory
x_refsource_SECUNIA
DSA-1896
vendor-advisory
x_refsource_DEBIAN
36868
third-party-advisory
x_refsource_SECUNIA
DSA-1895
vendor-advisory
x_refsource_DEBIAN
https://bugs.internet2.edu/jira/browse/CPPOST-28
x_refsource_CONFIRM
36855
third-party-advisory
x_refsource_SECUNIA
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now