Published: 27/02/2018 Updated: 23/03/2018

CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10

CVSS v3 Base Score: 6.5 | Impact Score: 2.5 | Exploitability Score: 3.9

VMScore: 570

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Shibboleth XMLTooling-C prior to 1.6.4, as used in Shibboleth Service Provider prior to 2.6.1.4 on Windows and other products, mishandles digital signatures of user data, which allows remote malicious users to obtain sensitive information or conduct impersonation attacks via crafted XML data. NOTE: this issue exists because of an incomplete fix for CVE-2018-0486.

Vulnerable Product	Search on Vulmon	Subscribe to Product
shibboleth xmltooling-c
debian debian linux 7.0
debian debian linux 8.0
debian debian linux 9.0
arubanetworks clearpass

Kelby Ludwig and Scott Cantor discovered that the Shibboleth service provider is vulnerable to impersonation attacks and information disclosure due to incorrect XML parsing For additional details please refer to the upstream advisory at shibbolethnet/community/advisories/secadv_20180227txt For the oldstable distribution (jessie), this pr ...

Shibboleth XMLTooling-C before 164, as used in Shibboleth Service Provider before 2614 on Windows and other products, mishandles digital signatures of user data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via crafted XML data NOTE: this issue exists because of an incomplete fix for CVE-2018- ...

CWE-347 https://shibboleth.net/community/advisories/secadv_20180227.txt https://www.debian.org/security/2018/dsa-4126 http://www.securitytracker.com/id/1040435 https://lists.debian.org/debian-lts-announce/2018/02/msg00031.html http://www.securityfocus.com/bid/103172 http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-003.txt https://nvd.nist.gov https://www.debian.org/security/./dsa-4126 https://www.kb.cert.org/vuls/id/475445

CVE-2018-0489

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect