Vulnerabilites related to shibboleth - shibboleth-identity-provider
CVE-2011-1411 (GCVE-0-2011-1411)
Vulnerability from cvelistv5
Published
2011-09-02 23:00
Modified
2024-08-06 22:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T22:28:40.875Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://shibboleth.internet2.edu/secadv/secadv_20110725.txt"
},
{
"name": "DSA-2284",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2011/dsa-2284"
},
{
"name": "50994",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/50994"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html"
},
{
"name": "MDVSA-2013:150",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:150"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-07-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an \"XML Signature wrapping attack.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-10-20T09:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://shibboleth.internet2.edu/secadv/secadv_20110725.txt"
},
{
"name": "DSA-2284",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2011/dsa-2284"
},
{
"name": "50994",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/50994"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html"
},
{
"name": "MDVSA-2013:150",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:150"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-1411",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an \"XML Signature wrapping attack.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://shibboleth.internet2.edu/secadv/secadv_20110725.txt",
"refsource": "CONFIRM",
"url": "http://shibboleth.internet2.edu/secadv/secadv_20110725.txt"
},
{
"name": "DSA-2284",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2011/dsa-2284"
},
{
"name": "50994",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/50994"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html"
},
{
"name": "MDVSA-2013:150",
"refsource": "MANDRIVA",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:150"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-1411",
"datePublished": "2011-09-02T23:00:00",
"dateReserved": "2011-03-10T00:00:00",
"dateUpdated": "2024-08-06T22:28:40.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2011-09-02 23:55
Modified
2025-04-11 00:51
Severity ?
Summary
Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| shibboleth | opensaml | 2.4.0 | |
| shibboleth | opensaml | 2.4.1 | |
| shibboleth | opensaml | 2.4.2 | |
| shibboleth | opensaml | 2.5.0 | |
| shibboleth | shibboleth-identity-provider | * | |
| shibboleth | shibboleth-identity-provider | 2.0.0 | |
| shibboleth | shibboleth-identity-provider | 2.1.0 | |
| shibboleth | shibboleth-identity-provider | 2.1.1 | |
| shibboleth | shibboleth-identity-provider | 2.1.2 | |
| shibboleth | shibboleth-identity-provider | 2.1.3 | |
| shibboleth | shibboleth-identity-provider | 2.1.4 | |
| shibboleth | shibboleth-identity-provider | 2.1.5 | |
| shibboleth | shibboleth-identity-provider | 2.2.0 | |
| shibboleth | shibboleth-identity-provider | 2.2.1 | |
| shibboleth | shibboleth-identity-provider | 2.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:shibboleth:opensaml:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "326C4DAA-C2FE-431E-82AE-5260484EBDC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:shibboleth:opensaml:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "68F5A4FF-96ED-41CD-A83F-3810B9036037",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:shibboleth:opensaml:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "71772B98-345F-42E0-BBAC-309E24D887B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:shibboleth:opensaml:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E7CD6A0B-B78E-4D3C-81E4-27B8E4430F78",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A943122-D2CD-4E2A-A0D5-A3C71B5E62EA",
"versionEndIncluding": "2.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C7AAD703-4FB6-456A-B90E-370F3678FD02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8969B3F6-03A3-471A-A023-A261D36995C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4490D05A-8D8E-4445-B404-6B951C50D5F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9DEB9670-E47E-4181-8607-7F2E3C59306B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "9288EBA7-5975-4CF6-974B-45A12F2B81DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "2C5D4672-D1D7-41D3-8AAA-3EA180D5DDCB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "45AE00EF-707A-42FE-8673-0F1524C0B368",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5A7BEDBC-8026-459D-8A46-2F23311B23A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "857E10D3-3701-45CB-AAD7-31D8990A3DE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5EC7D93A-FB15-4099-BF63-221704CEBA9B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an \"XML Signature wrapping attack.\""
},
{
"lang": "es",
"value": "La librer\u00eda Shibboleth OpenSAML v2.4.x antes de v2.4.3 y v2.5.x antes de v2.5.1, e IdP antes de v2.3.2, permite a atacantes remotos falsificar mensajes y eludir la autenticaci\u00f3n a trav\u00e9s de un ataque \"XML Signature wrapping\""
}
],
"id": "CVE-2011-1411",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-09-02T23:55:04.240",
"references": [
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/50994"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://shibboleth.internet2.edu/secadv/secadv_20110725.txt"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2011/dsa-2284"
},
{
"source": "cve@mitre.org",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:150"
},
{
"source": "cve@mitre.org",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/50994"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://shibboleth.internet2.edu/secadv/secadv_20110725.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2011/dsa-2284"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:150"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}