Internet2 Shibboleth Service Provider software 1.3.x prior to 1.3.3 and 2.x prior to 2.2.1, when using PKIX trust validation, does not properly handle a '\0' character in the subject or subjectAltName fields of a certificate, which allows remote man-in-the-middle malicious users to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
internet2 shibboleth-sp 2.0 |
||
internet2 shibboleth-sp 1.3.1 |
||
internet2 shibboleth-sp 1.3f |
||
internet2 shibboleth-sp 2.2 |
||
internet2 shibboleth-sp 2.1 |
||
internet2 shibboleth-sp 1.3.2 |