Skip to content

Improper Certificate Validation in Shibboleth Identity Provider and OpenSAML

Moderate severity GitHub Reviewed Published May 17, 2022 to the GitHub Advisory Database • Updated Jan 27, 2023

Package

maven edu.internet2.middleware:shibboleth-identityprovider (Maven)

Affected versions

<= 2.4.3

Patched versions

2.4.4
maven org.opensaml:opensaml (Maven)
<= 2.6.4
2.6.5

Description

The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.

References

Published by the National Vulnerability Database Jul 8, 2015
Published to the GitHub Advisory Database May 17, 2022
Reviewed Jul 6, 2022
Last updated Jan 27, 2023

Severity

Moderate

EPSS score

0.376%
(74th percentile)

Weaknesses

CVE ID

CVE-2015-1796

GHSA ID

GHSA-78fq-w796-q537

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.