OpenSAML 2.x prior to 2.2.1 and XMLTooling 1.x prior to 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x prior to 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote malicious users to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
internet2 opensaml 2.1.0 |
||
internet2 xmltooling 1.2.0 |
||
internet2 opensaml 2.2.0 |
||
internet2 opensaml 2.0 |
||
internet2 xmltooling 1.0.1 |
||
internet2 xmltooling 1.1.0 |
||
internet2 xmltooling 1.1.1 |
||
internet2 shibboleth-sp 2.2 |
||
internet2 shibboleth-sp 2.1 |
||
internet2 shibboleth-sp 1.3.1 |
||
internet2 shibboleth-sp 2.0 |
||
internet2 shibboleth-sp 1.3f |
||
internet2 shibboleth-sp 1.3b |
||
internet2 shibboleth-sp 1.3.2 |