cvelistv5 - cve-2011-1411

CVE-2011-1411 (GCVE-0-2011-1411)

Vulnerability from cvelistv5 – Published: 2011-09-02 23:00 – Updated: 2024-08-06 22:28

Summary

Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	http://shibboleth.internet2.edu/secadv/secadv_201…	x_refsource_CONFIRM
	http://www.debian.org/security/2011/dsa-2284	vendor-advisoryx_refsource_DEBIAN
	http://secunia.com/advisories/50994	third-party-advisoryx_refsource_SECUNIA
	http://www.oracle.com/technetwork/topics/security…	x_refsource_CONFIRM
	http://www.mandriva.com/security/advisories?name=…	vendor-advisoryx_refsource_MANDRIVA

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T22:28:40.875Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://shibboleth.internet2.edu/secadv/secadv_20110725.txt"
          },
          {
            "name": "DSA-2284",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2011/dsa-2284"
          },
          {
            "name": "50994",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/50994"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html"
          },
          {
            "name": "MDVSA-2013:150",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:150"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2011-07-25T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an \"XML Signature wrapping attack.\""
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2012-10-20T09:00:00",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://shibboleth.internet2.edu/secadv/secadv_20110725.txt"
        },
        {
          "name": "DSA-2284",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2011/dsa-2284"
        },
        {
          "name": "50994",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/50994"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html"
        },
        {
          "name": "MDVSA-2013:150",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:150"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2011-1411",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an \"XML Signature wrapping attack.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://shibboleth.internet2.edu/secadv/secadv_20110725.txt",
              "refsource": "CONFIRM",
              "url": "http://shibboleth.internet2.edu/secadv/secadv_20110725.txt"
            },
            {
              "name": "DSA-2284",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2011/dsa-2284"
            },
            {
              "name": "50994",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/50994"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html"
            },
            {
              "name": "MDVSA-2013:150",
              "refsource": "MANDRIVA",
              "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:150"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2011-1411",
    "datePublished": "2011-09-02T23:00:00",
    "dateReserved": "2011-03-10T00:00:00",
    "dateUpdated": "2024-08-06T22:28:40.875Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:shibboleth:opensaml:2.4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"326C4DAA-C2FE-431E-82AE-5260484EBDC4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:shibboleth:opensaml:2.4.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"68F5A4FF-96ED-41CD-A83F-3810B9036037\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:shibboleth:opensaml:2.4.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"71772B98-345F-42E0-BBAC-309E24D887B7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:shibboleth:opensaml:2.5.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E7CD6A0B-B78E-4D3C-81E4-27B8E4430F78\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:shibboleth:shibboleth-identity-provider:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2.3.1\", \"matchCriteriaId\": \"6A943122-D2CD-4E2A-A0D5-A3C71B5E62EA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C7AAD703-4FB6-456A-B90E-370F3678FD02\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8969B3F6-03A3-471A-A023-A261D36995C3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4490D05A-8D8E-4445-B404-6B951C50D5F0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9DEB9670-E47E-4181-8607-7F2E3C59306B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9288EBA7-5975-4CF6-974B-45A12F2B81DB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2C5D4672-D1D7-41D3-8AAA-3EA180D5DDCB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"45AE00EF-707A-42FE-8673-0F1524C0B368\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5A7BEDBC-8026-459D-8A46-2F23311B23A3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.2.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"857E10D3-3701-45CB-AAD7-31D8990A3DE4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5EC7D93A-FB15-4099-BF63-221704CEBA9B\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an \\\"XML Signature wrapping attack.\\\"\"}, {\"lang\": \"es\", \"value\": \"La librer\\u00eda Shibboleth OpenSAML v2.4.x antes de v2.4.3 y v2.5.x antes de v2.5.1, e IdP antes de v2.3.2, permite a atacantes remotos falsificar mensajes y eludir la autenticaci\\u00f3n a trav\\u00e9s de un ataque \\\"XML Signature wrapping\\\"\"}]",
      "id": "CVE-2011-1411",
      "lastModified": "2024-11-21T01:26:15.140",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:N\", \"baseScore\": 5.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2011-09-02T23:55:04.240",
      "references": "[{\"url\": \"http://secunia.com/advisories/50994\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://shibboleth.internet2.edu/secadv/secadv_20110725.txt\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.debian.org/security/2011/dsa-2284\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.mandriva.com/security/advisories?name=MDVSA-2013:150\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://secunia.com/advisories/50994\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://shibboleth.internet2.edu/secadv/secadv_20110725.txt\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.debian.org/security/2011/dsa-2284\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.mandriva.com/security/advisories?name=MDVSA-2013:150\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2011-1411\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2011-09-02T23:55:04.240\",\"lastModified\":\"2025-04-11T00:51:21.963\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an \\\"XML Signature wrapping attack.\\\"\"},{\"lang\":\"es\",\"value\":\"La librer\u00eda Shibboleth OpenSAML v2.4.x antes de v2.4.3 y v2.5.x antes de v2.5.1, e IdP antes de v2.3.2, permite a atacantes remotos falsificar mensajes y eludir la autenticaci\u00f3n a trav\u00e9s de un ataque \\\"XML Signature wrapping\\\"\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:N\",\"baseScore\":5.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:shibboleth:opensaml:2.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"326C4DAA-C2FE-431E-82AE-5260484EBDC4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:shibboleth:opensaml:2.4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"68F5A4FF-96ED-41CD-A83F-3810B9036037\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:shibboleth:opensaml:2.4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"71772B98-345F-42E0-BBAC-309E24D887B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:shibboleth:opensaml:2.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E7CD6A0B-B78E-4D3C-81E4-27B8E4430F78\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:shibboleth:shibboleth-identity-provider:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.3.1\",\"matchCriteriaId\":\"6A943122-D2CD-4E2A-A0D5-A3C71B5E62EA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C7AAD703-4FB6-456A-B90E-370F3678FD02\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8969B3F6-03A3-471A-A023-A261D36995C3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4490D05A-8D8E-4445-B404-6B951C50D5F0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9DEB9670-E47E-4181-8607-7F2E3C59306B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9288EBA7-5975-4CF6-974B-45A12F2B81DB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2C5D4672-D1D7-41D3-8AAA-3EA180D5DDCB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"45AE00EF-707A-42FE-8673-0F1524C0B368\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A7BEDBC-8026-459D-8A46-2F23311B23A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"857E10D3-3701-45CB-AAD7-31D8990A3DE4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5EC7D93A-FB15-4099-BF63-221704CEBA9B\"}]}]}],\"references\":[{\"url\":\"http://secunia.com/advisories/50994\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://shibboleth.internet2.edu/secadv/secadv_20110725.txt\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.debian.org/security/2011/dsa-2284\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.mandriva.com/security/advisories?name=MDVSA-2013:150\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/50994\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://shibboleth.internet2.edu/secadv/secadv_20110725.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.debian.org/security/2011/dsa-2284\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.mandriva.com/security/advisories?name=MDVSA-2013:150\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

GHSA-QWWJ-QJ3F-9HV7

Vulnerability from github – Published: 2022-05-17 05:02 – Updated: 2022-07-13 17:17

Summary

Improper Authentication in OpenSAML

Details

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opensaml:opensaml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opensaml:opensaml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2011-1411"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-13T17:17:40Z",
    "nvd_published_at": "2011-09-02T23:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an \"XML Signature wrapping attack.\"",
  "id": "GHSA-qwwj-qj3f-9hv7",
  "modified": "2022-07-13T17:17:40Z",
  "published": "2022-05-17T05:02:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1411"
    },
    {
      "type": "WEB",
      "url": "http://shibboleth.internet2.edu/secadv/secadv_20110725.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2011/dsa-2284"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Improper Authentication in OpenSAML"
}

CERTA-2012-AVI-578

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été corrigées dans Oracle Fusion Middleware. Certaines d'entre elles permettent une atteinte à la confidentialité des données, un contournement de la politique de sécurité et une élévation de privilèges.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Oracle	N/A	Oracle Outside In Technology version 8.3.7.0
Oracle	N/A	Oracle Application Server Single Sign-On version 10.1.4.3.0
Oracle	N/A	Oracle BI Publisher version 10.1.3.4.2, version 11.1.1.5.0, version 11.1.1.6.0, et version 11.1.1.6.2
Oracle	N/A	Oracle WebCenter Sites version 6.1, version 6.2, version 6.3.x, version 7, version 7.0.1, version 7.0.2, version 7.0.3, version 7.5, version 7.6.1, version 7.6.2 et version 11.1.1.6.0
Oracle	N/A	Oracle Event Processing version 2.0, version 11.1.1.4.0 et version 11.1.1.6.0
Oracle	N/A	Oracle Reports Developer version 11.1.1.4, version 11.1.1.6 et version 11.1.2.0
Oracle	N/A	Oracle WebLogic Server version 9.2.4.0, version 10.0.2.0, version 10.3.5.0, version 10.3.6.0 et version 12.1.1.0
Oracle	N/A	Oracle JRockit version 28.2.4 et versions antérieures
Oracle	N/A	Oracle Imaging and Process Management version 10.1.3.6.0

References

Title

Publication Time

Tags

Bulletin de sécurité Oracle cpuoct2012-1515893 du 16 Octobre 2012	None	vendor-advisory
Bulletin de sécurité Oracle cpuoct2012-1515893 du 16 octobre 2012 :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Oracle Outside In Technology version 8.3.7.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Application Server Single Sign-On version 10.1.4.3.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle BI Publisher version 10.1.3.4.2, version 11.1.1.5.0, version 11.1.1.6.0, et version 11.1.1.6.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle WebCenter Sites version 6.1, version 6.2, version 6.3.x, version 7, version 7.0.1, version 7.0.2, version 7.0.3, version 7.5, version 7.6.1, version 7.6.2 et version 11.1.1.6.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Event Processing version 2.0, version 11.1.1.4.0 et version 11.1.1.6.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Reports Developer version 11.1.1.4, version 11.1.1.6 et version 11.1.2.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle WebLogic Server version 9.2.4.0, version 10.0.2.0, version 10.3.5.0, version 10.3.6.0 et version 12.1.1.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle JRockit version 28.2.4 et versions ant\u00e9rieures",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Imaging and Process Management version 10.1.3.6.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2012-0090",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-0090"
    },
    {
      "name": "CVE-2012-3217",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3217"
    },
    {
      "name": "CVE-2012-3185",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3185"
    },
    {
      "name": "CVE-2011-1411",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-1411"
    },
    {
      "name": "CVE-2012-0518",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-0518"
    },
    {
      "name": "CVE-2012-1686",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-1686"
    },
    {
      "name": "CVE-2012-3193",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3193"
    },
    {
      "name": "CVE-2012-5065",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-5065"
    },
    {
      "name": "CVE-2012-3184",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3184"
    },
    {
      "name": "CVE-2012-3175",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3175"
    },
    {
      "name": "CVE-2012-3152",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3152"
    },
    {
      "name": "CVE-2012-0092",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-0092"
    },
    {
      "name": "CVE-2012-3186",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3186"
    },
    {
      "name": "CVE-2012-3194",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3194"
    },
    {
      "name": "CVE-2012-0086",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-0086"
    },
    {
      "name": "CVE-2012-3202",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3202"
    },
    {
      "name": "CVE-2012-0108",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-0108"
    },
    {
      "name": "CVE-2012-0106",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-0106"
    },
    {
      "name": "CVE-2012-0107",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-0107"
    },
    {
      "name": "CVE-2012-3153",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3153"
    },
    {
      "name": "CVE-2012-3183",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3183"
    },
    {
      "name": "CVE-2012-3214",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3214"
    },
    {
      "name": "CVE-2012-0093",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-0093"
    },
    {
      "name": "CVE-2012-0095",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-0095"
    },
    {
      "name": "CVE-2012-0071",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-0071"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle cpuoct2012-1515893 du 16    octobre 2012 :",
      "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html"
    }
  ],
  "reference": "CERTA-2012-AVI-578",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2012-10-17T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eOracle Fusion Middleware\u003c/span\u003e. Certaines d\u0027entre elles\npermettent une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, un\ncontournement de la politique de s\u00e9curit\u00e9 et une \u00e9l\u00e9vation de\nprivil\u00e8ges.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Fusion Middleware",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle cpuoct2012-1515893 du 16 Octobre 2012",
      "url": null
    }
  ]
}

CERTA-2011-AVI-515

Vulnerability from certfr_avis - Published: - Updated:

Plusieurs vulnérabilités ont été corrigées dans IBM WebSphere. Elles permettent diverses atteintes à la disponibilité, à l'intégrité et à la confidentialité.

Description

Plusieurs vulnérabilités ont été corrigées dans IBM WebSphere :

lors de la déconnexion d'un utilisateur, celui-ci peut être dérouté vers une page non légitime, permettant par exemple le filoutage ;
un problème dans la bibliothèque de programmes APR (Apache Portable Runtime) permet à un utilisateur malveillant d'épuiser les ressources processeur à distance ;
un utilisateur local peut obtenir des informations sensibles au moyen d'une requête spécialement construite à destination de la console d'administration ;
la vérification de validité des certificats de clefs publiques est incorrecte ;
la console d'administration permet l'injection de requêtes par rebond (CRSF) ;
un utilisateur distant peut, sans autorisation, parcourir l'arborescence du système de fichiers au moyen d'un adresse (URI) particulière ;
l'encapsulation de signatures XML permet de contourner l'authentification.

Solution

Les versions IBM WebSphere 6.1.0.39 et 7.0.0.19 résolvent ces problèmes.

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

IBM WebSphere 6.x et 7.x.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de sécurité IBM swg27014463 du 12 septembre 2011	None	vendor-advisory
Bulletin de sécurité IBM swg27007951 du 18 juillet 2011 :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cp\u003eIBM WebSphere 6.x et 7.x.\u003c/p\u003e",
  "content": "## Description\n\nPlusieurs vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans IBM WebSphere\u00a0:\n\n-   lors de la d\u00e9connexion d\u0027un utilisateur, celui-ci peut \u00eatre d\u00e9rout\u00e9\n    vers une page non l\u00e9gitime, permettant par exemple le filoutage\u00a0;\n-   un probl\u00e8me dans la biblioth\u00e8que de programmes APR (Apache Portable\n    Runtime) permet \u00e0 un utilisateur malveillant d\u0027\u00e9puiser les\n    ressources processeur \u00e0 distance\u00a0;\n-   un utilisateur local peut obtenir des informations sensibles au\n    moyen d\u0027une requ\u00eate sp\u00e9cialement construite \u00e0 destination de la\n    console d\u0027administration\u00a0;\n-   la v\u00e9rification de validit\u00e9 des certificats de clefs publiques est\n    incorrecte\u00a0;\n-   la console d\u0027administration permet l\u0027injection de requ\u00eates par\n    rebond (CRSF)\u00a0;\n-   un utilisateur distant peut, sans autorisation, parcourir\n    l\u0027arborescence du syst\u00e8me de fichiers au moyen d\u0027un adresse (URI)\n    particuli\u00e8re\u00a0;\n-   l\u0027encapsulation de signatures XML permet de contourner\n    l\u0027authentification.\n\n## Solution\n\nLes versions IBM WebSphere 6.1.0.39 et 7.0.0.19 r\u00e9solvent ces probl\u00e8mes.\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2011-1411",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-1411"
    },
    {
      "name": "CVE-2011-1356",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-1356"
    },
    {
      "name": "CVE-2011-1359",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-1359"
    },
    {
      "name": "CVE-2011-1355",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-1355"
    },
    {
      "name": "CVE-2011-0419",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-0419"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 IBM swg27007951 du 18 juillet 2011 :",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg27007951#61039"
    }
  ],
  "reference": "CERTA-2011-AVI-515",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2011-09-14T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Plusieurs vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans IBM WebSphere. Elles\npermettent diverses atteintes \u00e0 la disponibilit\u00e9, \u00e0 l\u0027int\u00e9grit\u00e9 et \u00e0 la\nconfidentialit\u00e9.\n",
  "title": "Vuln\u00e9rabilit\u00e9s dans IBM WebSphere",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM swg27014463 du 12 septembre 2011",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg27014463#70019"
    }
  ]
}

CERTA-2011-AVI-515

Vulnerability from certfr_avis - Published: - Updated:

Plusieurs vulnérabilités ont été corrigées dans IBM WebSphere. Elles permettent diverses atteintes à la disponibilité, à l'intégrité et à la confidentialité.

Description

Plusieurs vulnérabilités ont été corrigées dans IBM WebSphere :

lors de la déconnexion d'un utilisateur, celui-ci peut être dérouté vers une page non légitime, permettant par exemple le filoutage ;
un problème dans la bibliothèque de programmes APR (Apache Portable Runtime) permet à un utilisateur malveillant d'épuiser les ressources processeur à distance ;
un utilisateur local peut obtenir des informations sensibles au moyen d'une requête spécialement construite à destination de la console d'administration ;
la vérification de validité des certificats de clefs publiques est incorrecte ;
la console d'administration permet l'injection de requêtes par rebond (CRSF) ;
un utilisateur distant peut, sans autorisation, parcourir l'arborescence du système de fichiers au moyen d'un adresse (URI) particulière ;
l'encapsulation de signatures XML permet de contourner l'authentification.

Solution

Les versions IBM WebSphere 6.1.0.39 et 7.0.0.19 résolvent ces problèmes.

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

IBM WebSphere 6.x et 7.x.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de sécurité IBM swg27014463 du 12 septembre 2011	None	vendor-advisory
Bulletin de sécurité IBM swg27007951 du 18 juillet 2011 :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cp\u003eIBM WebSphere 6.x et 7.x.\u003c/p\u003e",
  "content": "## Description\n\nPlusieurs vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans IBM WebSphere\u00a0:\n\n-   lors de la d\u00e9connexion d\u0027un utilisateur, celui-ci peut \u00eatre d\u00e9rout\u00e9\n    vers une page non l\u00e9gitime, permettant par exemple le filoutage\u00a0;\n-   un probl\u00e8me dans la biblioth\u00e8que de programmes APR (Apache Portable\n    Runtime) permet \u00e0 un utilisateur malveillant d\u0027\u00e9puiser les\n    ressources processeur \u00e0 distance\u00a0;\n-   un utilisateur local peut obtenir des informations sensibles au\n    moyen d\u0027une requ\u00eate sp\u00e9cialement construite \u00e0 destination de la\n    console d\u0027administration\u00a0;\n-   la v\u00e9rification de validit\u00e9 des certificats de clefs publiques est\n    incorrecte\u00a0;\n-   la console d\u0027administration permet l\u0027injection de requ\u00eates par\n    rebond (CRSF)\u00a0;\n-   un utilisateur distant peut, sans autorisation, parcourir\n    l\u0027arborescence du syst\u00e8me de fichiers au moyen d\u0027un adresse (URI)\n    particuli\u00e8re\u00a0;\n-   l\u0027encapsulation de signatures XML permet de contourner\n    l\u0027authentification.\n\n## Solution\n\nLes versions IBM WebSphere 6.1.0.39 et 7.0.0.19 r\u00e9solvent ces probl\u00e8mes.\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2011-1411",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-1411"
    },
    {
      "name": "CVE-2011-1356",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-1356"
    },
    {
      "name": "CVE-2011-1359",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-1359"
    },
    {
      "name": "CVE-2011-1355",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-1355"
    },
    {
      "name": "CVE-2011-0419",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-0419"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 IBM swg27007951 du 18 juillet 2011 :",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg27007951#61039"
    }
  ],
  "reference": "CERTA-2011-AVI-515",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2011-09-14T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Plusieurs vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans IBM WebSphere. Elles\npermettent diverses atteintes \u00e0 la disponibilit\u00e9, \u00e0 l\u0027int\u00e9grit\u00e9 et \u00e0 la\nconfidentialit\u00e9.\n",
  "title": "Vuln\u00e9rabilit\u00e9s dans IBM WebSphere",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM swg27014463 du 12 septembre 2011",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg27014463#70019"
    }
  ]
}

CERTA-2012-AVI-578

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Oracle	N/A	Oracle Outside In Technology version 8.3.7.0
Oracle	N/A	Oracle Application Server Single Sign-On version 10.1.4.3.0
Oracle	N/A	Oracle BI Publisher version 10.1.3.4.2, version 11.1.1.5.0, version 11.1.1.6.0, et version 11.1.1.6.2
Oracle	N/A	Oracle WebCenter Sites version 6.1, version 6.2, version 6.3.x, version 7, version 7.0.1, version 7.0.2, version 7.0.3, version 7.5, version 7.6.1, version 7.6.2 et version 11.1.1.6.0
Oracle	N/A	Oracle Event Processing version 2.0, version 11.1.1.4.0 et version 11.1.1.6.0
Oracle	N/A	Oracle Reports Developer version 11.1.1.4, version 11.1.1.6 et version 11.1.2.0
Oracle	N/A	Oracle WebLogic Server version 9.2.4.0, version 10.0.2.0, version 10.3.5.0, version 10.3.6.0 et version 12.1.1.0
Oracle	N/A	Oracle JRockit version 28.2.4 et versions antérieures
Oracle	N/A	Oracle Imaging and Process Management version 10.1.3.6.0

References

Title

Publication Time

Tags

Bulletin de sécurité Oracle cpuoct2012-1515893 du 16 Octobre 2012	None	vendor-advisory
Bulletin de sécurité Oracle cpuoct2012-1515893 du 16 octobre 2012 :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Oracle Outside In Technology version 8.3.7.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Application Server Single Sign-On version 10.1.4.3.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle BI Publisher version 10.1.3.4.2, version 11.1.1.5.0, version 11.1.1.6.0, et version 11.1.1.6.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle WebCenter Sites version 6.1, version 6.2, version 6.3.x, version 7, version 7.0.1, version 7.0.2, version 7.0.3, version 7.5, version 7.6.1, version 7.6.2 et version 11.1.1.6.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Event Processing version 2.0, version 11.1.1.4.0 et version 11.1.1.6.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Reports Developer version 11.1.1.4, version 11.1.1.6 et version 11.1.2.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle WebLogic Server version 9.2.4.0, version 10.0.2.0, version 10.3.5.0, version 10.3.6.0 et version 12.1.1.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle JRockit version 28.2.4 et versions ant\u00e9rieures",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Imaging and Process Management version 10.1.3.6.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2012-0090",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-0090"
    },
    {
      "name": "CVE-2012-3217",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3217"
    },
    {
      "name": "CVE-2012-3185",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3185"
    },
    {
      "name": "CVE-2011-1411",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-1411"
    },
    {
      "name": "CVE-2012-0518",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-0518"
    },
    {
      "name": "CVE-2012-1686",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-1686"
    },
    {
      "name": "CVE-2012-3193",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3193"
    },
    {
      "name": "CVE-2012-5065",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-5065"
    },
    {
      "name": "CVE-2012-3184",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3184"
    },
    {
      "name": "CVE-2012-3175",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3175"
    },
    {
      "name": "CVE-2012-3152",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3152"
    },
    {
      "name": "CVE-2012-0092",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-0092"
    },
    {
      "name": "CVE-2012-3186",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3186"
    },
    {
      "name": "CVE-2012-3194",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3194"
    },
    {
      "name": "CVE-2012-0086",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-0086"
    },
    {
      "name": "CVE-2012-3202",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3202"
    },
    {
      "name": "CVE-2012-0108",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-0108"
    },
    {
      "name": "CVE-2012-0106",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-0106"
    },
    {
      "name": "CVE-2012-0107",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-0107"
    },
    {
      "name": "CVE-2012-3153",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3153"
    },
    {
      "name": "CVE-2012-3183",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3183"
    },
    {
      "name": "CVE-2012-3214",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3214"
    },
    {
      "name": "CVE-2012-0093",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-0093"
    },
    {
      "name": "CVE-2012-0095",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-0095"
    },
    {
      "name": "CVE-2012-0071",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-0071"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle cpuoct2012-1515893 du 16    octobre 2012 :",
      "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html"
    }
  ],
  "reference": "CERTA-2012-AVI-578",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2012-10-17T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eOracle Fusion Middleware\u003c/span\u003e. Certaines d\u0027entre elles\npermettent une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, un\ncontournement de la politique de s\u00e9curit\u00e9 et une \u00e9l\u00e9vation de\nprivil\u00e8ges.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Fusion Middleware",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle cpuoct2012-1515893 du 16 Octobre 2012",
      "url": null
    }
  ]
}

FKIE_CVE-2011-1411

Vulnerability from fkie_nvd - Published: 2011-09-02 23:55 - Updated: 2025-04-11 00:51

Severity ?

Summary

References

URL	Tags
cve@mitre.org	http://secunia.com/advisories/50994
cve@mitre.org	http://shibboleth.internet2.edu/secadv/secadv_20110725.txt	Vendor Advisory
cve@mitre.org	http://www.debian.org/security/2011/dsa-2284
cve@mitre.org	http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
cve@mitre.org	http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/50994
af854a3a-2127-422b-91ae-364da2661108	http://shibboleth.internet2.edu/secadv/secadv_20110725.txt	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2011/dsa-2284
af854a3a-2127-422b-91ae-364da2661108	http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
af854a3a-2127-422b-91ae-364da2661108	http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html

Impacted products

Vendor	Product	Version
shibboleth	opensaml	2.4.0
shibboleth	opensaml	2.4.1
shibboleth	opensaml	2.4.2
shibboleth	opensaml	2.5.0
shibboleth	shibboleth-identity-provider	*
shibboleth	shibboleth-identity-provider	2.0.0
shibboleth	shibboleth-identity-provider	2.1.0
shibboleth	shibboleth-identity-provider	2.1.1
shibboleth	shibboleth-identity-provider	2.1.2
shibboleth	shibboleth-identity-provider	2.1.3
shibboleth	shibboleth-identity-provider	2.1.4
shibboleth	shibboleth-identity-provider	2.1.5
shibboleth	shibboleth-identity-provider	2.2.0
shibboleth	shibboleth-identity-provider	2.2.1
shibboleth	shibboleth-identity-provider	2.3.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:shibboleth:opensaml:2.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "326C4DAA-C2FE-431E-82AE-5260484EBDC4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:shibboleth:opensaml:2.4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "68F5A4FF-96ED-41CD-A83F-3810B9036037",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:shibboleth:opensaml:2.4.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "71772B98-345F-42E0-BBAC-309E24D887B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:shibboleth:opensaml:2.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E7CD6A0B-B78E-4D3C-81E4-27B8E4430F78",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6A943122-D2CD-4E2A-A0D5-A3C71B5E62EA",
              "versionEndIncluding": "2.3.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C7AAD703-4FB6-456A-B90E-370F3678FD02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8969B3F6-03A3-471A-A023-A261D36995C3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "4490D05A-8D8E-4445-B404-6B951C50D5F0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "9DEB9670-E47E-4181-8607-7F2E3C59306B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "9288EBA7-5975-4CF6-974B-45A12F2B81DB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "2C5D4672-D1D7-41D3-8AAA-3EA180D5DDCB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "45AE00EF-707A-42FE-8673-0F1524C0B368",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "5A7BEDBC-8026-459D-8A46-2F23311B23A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "857E10D3-3701-45CB-AAD7-31D8990A3DE4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "5EC7D93A-FB15-4099-BF63-221704CEBA9B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an \"XML Signature wrapping attack.\""
    },
    {
      "lang": "es",
      "value": "La librer\u00eda Shibboleth OpenSAML v2.4.x antes de v2.4.3 y v2.5.x antes de v2.5.1, e IdP antes de v2.3.2, permite a atacantes remotos falsificar mensajes y eludir la autenticaci\u00f3n a trav\u00e9s de un ataque \"XML Signature wrapping\""
    }
  ],
  "id": "CVE-2011-1411",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2011-09-02T23:55:04.240",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/50994"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://shibboleth.internet2.edu/secadv/secadv_20110725.txt"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.debian.org/security/2011/dsa-2284"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:150"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/50994"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://shibboleth.internet2.edu/secadv/secadv_20110725.txt"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2011/dsa-2284"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:150"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2011-1411

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2011-1411

Aliases

CVE-2011-1411

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2011-1411",
    "description": "Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an \"XML Signature wrapping attack.\"",
    "id": "GSD-2011-1411",
    "references": [
      "https://www.suse.com/security/cve/CVE-2011-1411.html",
      "https://www.debian.org/security/2011/dsa-2284"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2011-1411"
      ],
      "details": "Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an \"XML Signature wrapping attack.\"",
      "id": "GSD-2011-1411",
      "modified": "2023-12-13T01:19:07.614881Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2011-1411",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an \"XML Signature wrapping attack.\""
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://shibboleth.internet2.edu/secadv/secadv_20110725.txt",
            "refsource": "CONFIRM",
            "url": "http://shibboleth.internet2.edu/secadv/secadv_20110725.txt"
          },
          {
            "name": "DSA-2284",
            "refsource": "DEBIAN",
            "url": "http://www.debian.org/security/2011/dsa-2284"
          },
          {
            "name": "50994",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/50994"
          },
          {
            "name": "http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html",
            "refsource": "CONFIRM",
            "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html"
          },
          {
            "name": "MDVSA-2013:150",
            "refsource": "MANDRIVA",
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:150"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[2.4.0,2.4.3),[2.5.0,2.5.1)",
          "affected_versions": "All versions starting from 2.4.0 before 2.4.3, all versions starting from 2.5.0 before 2.5.1",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-937"
          ],
          "date": "2022-07-13",
          "description": "Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an \"XML Signature wrapping attack.\"",
          "fixed_versions": [
            "2.4.3",
            "2.5.1"
          ],
          "identifier": "CVE-2011-1411",
          "identifiers": [
            "GHSA-qwwj-qj3f-9hv7",
            "CVE-2011-1411"
          ],
          "not_impacted": "All versions before 2.4.0, all versions starting from 2.4.3 before 2.5.0, all versions starting from 2.5.1",
          "package_slug": "maven/org.opensaml/opensaml",
          "pubdate": "2022-05-17",
          "solution": "Upgrade to versions 2.4.3, 2.5.1 or above.",
          "title": "Improper Authentication",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2011-1411",
            "http://shibboleth.internet2.edu/secadv/secadv_20110725.txt",
            "http://www.debian.org/security/2011/dsa-2284",
            "http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html",
            "https://github.com/advisories/GHSA-qwwj-qj3f-9hv7"
          ],
          "uuid": "0e336597-b582-449a-bc19-348d096698ed"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:shibboleth:opensaml:2.4.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:shibboleth:opensaml:2.4.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:shibboleth:opensaml:2.4.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:shibboleth:opensaml:2.5.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.2.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.3.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.2.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.0.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.3.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:shibboleth:shibboleth-identity-provider:2.1.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2011-1411"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an \"XML Signature wrapping attack.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://shibboleth.internet2.edu/secadv/secadv_20110725.txt",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://shibboleth.internet2.edu/secadv/secadv_20110725.txt"
            },
            {
              "name": "DSA-2284",
              "refsource": "DEBIAN",
              "tags": [],
              "url": "http://www.debian.org/security/2011/dsa-2284"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html"
            },
            {
              "name": "50994",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/50994"
            },
            {
              "name": "MDVSA-2013:150",
              "refsource": "MANDRIVA",
              "tags": [],
              "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:150"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2013-10-11T03:34Z",
      "publishedDate": "2011-09-02T23:55Z"
    }
  }
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2011-1411 (GCVE-0-2011-1411)

GHSA-QWWJ-QJ3F-9HV7

CERTA-2012-AVI-578

Solution

CERTA-2011-AVI-515

Description

Solution

CERTA-2011-AVI-515

Description

Solution

CERTA-2012-AVI-578

Solution

FKIE_CVE-2011-1411

GSD-2011-1411

Tags

Sightings

Nomenclature