Vulnerability Details : CVE-2018-0489
Shibboleth XMLTooling-C before 1.6.4, as used in Shibboleth Service Provider before 2.6.1.4 on Windows and other products, mishandles digital signatures of user data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via crafted XML data. NOTE: this issue exists because of an incomplete fix for CVE-2018-0486.
Products affected by CVE-2018-0489
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:arubanetworks:clearpass:*:*:*:*:*:*:*:*
- cpe:2.3:a:arubanetworks:clearpass:*:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:xmltooling-c:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-0489
0.79%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-0489
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
NIST |
CWE ids for CVE-2018-0489
-
The product does not verify, or incorrectly verifies, the cryptographic signature for data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-0489
-
http://www.securityfocus.com/bid/103172
Multiple SAML Libraries Multiple Authentication Bypass VulnerabilitiesThird Party Advisory;VDB Entry
-
https://www.debian.org/security/2018/dsa-4126
Debian -- Security Information -- DSA-4126-1 xmltoolingThird Party Advisory
-
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-003.txt
Third Party Advisory
-
http://www.securitytracker.com/id/1040435
Shibboleth Service Provider Flaw Lets Remote Users Modify User Data on the Target System - SecurityTrackerThird Party Advisory;VDB Entry
-
https://lists.debian.org/debian-lts-announce/2018/02/msg00031.html
[SECURITY] [DLA 1296-1] xmltooling security updateIssue Tracking
-
https://shibboleth.net/community/advisories/secadv_20180227.txt
Patch;Vendor Advisory
Jump to