Vulnerability

CVE-2015-1796

 Report advisory or correction

CVSS Score 4.3 medium

CVSS Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE

CWE-254

References

https://issues.shibboleth.net/jira/browse/JXT-116
https://shibboleth.net/community/advisories/secadv_20150225.txt
https://wiki.shibboleth.net/confluence/display/SHIB2/20150225+Security+Advisory+Examples
https://bugzilla.redhat.com/show_bug.cgi?id=1196619
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1796

[CVE-2015-1796] CWE-254

Description

The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.

See org.opensaml/xmltooling package information