CVE-2009-3474 : OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2

OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.

Published 2009-09-29 23:30:00

Updated 2017-08-17 01:31:08

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2009-3474

Internet2 » Opensaml » Version: 2.1.0
cpe:2.3:a:internet2:opensaml:2.1.0:*:*:*:*:*:*:*
Matching versions
Internet2 » Opensaml » Version: 2.2.0
cpe:2.3:a:internet2:opensaml:2.2.0:*:*:*:*:*:*:*
Matching versions
Internet2 » Opensaml » Version: 2.0
cpe:2.3:a:internet2:opensaml:2.0:*:*:*:*:*:*:*
Matching versions
Internet2 » Xmltooling » Version: 1.2.0
cpe:2.3:a:internet2:xmltooling:1.2.0:*:*:*:*:*:*:*
Matching versions
Internet2 » Xmltooling » Version: 1.0.1
cpe:2.3:a:internet2:xmltooling:1.0.1:*:*:*:*:*:*:*
Matching versions
Internet2 » Xmltooling » Version: 1.1.0
cpe:2.3:a:internet2:xmltooling:1.1.0:*:*:*:*:*:*:*
Matching versions
Internet2 » Xmltooling » Version: 1.1.1
cpe:2.3:a:internet2:xmltooling:1.1.1:*:*:*:*:*:*:*
Matching versions
Internet2 » Shibboleth-sp » Version: 2.2
cpe:2.3:a:internet2:shibboleth-sp:2.2:*:*:*:*:*:*:*
Matching versions
Internet2 » Shibboleth-sp » Version: 2.1
cpe:2.3:a:internet2:shibboleth-sp:2.1:*:*:*:*:*:*:*
Matching versions
Internet2 » Shibboleth-sp » Version: 1.3.1
cpe:2.3:a:internet2:shibboleth-sp:1.3.1:*:*:*:*:*:*:*
Matching versions
Internet2 » Shibboleth-sp » Version: 2.0
cpe:2.3:a:internet2:shibboleth-sp:2.0:*:*:*:*:*:*:*
Matching versions
Internet2 » Shibboleth-sp » Version: 1.3f
cpe:2.3:a:internet2:shibboleth-sp:1.3f:*:*:*:*:*:*:*
Matching versions
Internet2 » Shibboleth-sp » Version: 1.3b
cpe:2.3:a:internet2:shibboleth-sp:1.3b:*:*:*:*:*:*:*
Matching versions
Internet2 » Shibboleth-sp » Version: 1.3.2
cpe:2.3:a:internet2:shibboleth-sp:1.3.2:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2009-3474

EPSS FAQ

1.29%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 78 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2009-3474

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2009-3474

CWE-310

Assigned by: nvd@nist.gov (Primary)

References for CVE-2009-3474

http://www.debian.org/security/2009/dsa-1896

[SECURITY] [DSA 1896-1] New Shibboleth 1.x packages fix potential code execution
Patch

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/53474

OpenSAML KeyDescriptor security bypass CVE-2009-3474 Vulnerability Report
http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt

404 Not Found
Patch;Vendor Advisory
http://www.securityfocus.com/bid/36516

Patch
https://bugs.internet2.edu/jira/browse/CPPOST-28

Internet2 Discovery Service
http://www.debian.org/security/2009/dsa-1895

[SECURITY] [DSA 1895-1] New xmltooling packages fix potential code execution
Patch

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2009-3474

Products affected by CVE-2009-3474

Exploit prediction scoring system (EPSS) score for CVE-2009-3474

CVSS scores for CVE-2009-3474

CWE ids for CVE-2009-3474

References for CVE-2009-3474