Vulnerability Details : CVE-2019-3465
Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message.
Products affected by CVE-2019-3465
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:simplesamlphp:simplesamlphp:*:*:*:*:*:*:*:*
- cpe:2.3:a:xmlseclibs_project:xmlseclibs:*:*:*:*:*:*:*:*
- cpe:2.3:a:xmlseclibs_project:xmlseclibs:*:*:*:*:*:*:*:*
- cpe:2.3:a:xmlseclibs_project:xmlseclibs:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-3465
0.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-3465
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2019-3465
-
The product does not verify, or incorrectly verifies, the cryptographic signature for data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-3465
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAWOVYLZKYDCQBLQEJCFAAD3KQTBPHXE/
[SECURITY] Fedora 29 Update: php-robrichards-xmlseclibs-2.1.1-1.fc29 - package-announce - Fedora Mailing-Lists
-
https://www.tenable.com/security/tns-2019-09
[R1] Tenable.sc 5.13.0 Fixes Multiple Third-Party Vulnerabilities - Security Advisory | Tenable®
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBSSRV5Q7JFCYO46A3EN624UZ4KXFQ2M/
[SECURITY] Fedora 30 Update: php-robrichards-xmlseclibs-2.1.1-1.fc30 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNFMY5RRLU63P25HEBVDO5KAVI7TX7JV/
[SECURITY] Fedora 30 Update: php-robrichards-xmlseclibs1-1.4.3-1.fc30 - package-announce - Fedora Mailing-Lists
-
https://lists.debian.org/debian-lts-announce/2019/11/msg00003.html
[SECURITY] [DLA 1983-1] simplesamlphp security updateMailing List;Third Party Advisory
-
https://www.debian.org/security/2019/dsa-4560
Debian -- Security Information -- DSA-4560-1 simplesamlphpThird Party Advisory
-
https://simplesamlphp.org/security/201911-01
SimpleSAMLphpThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ESKJTWLE7QZBQ3EKMYXKMBQG3JDEJWM6/
[SECURITY] Fedora 29 Update: php-robrichards-xmlseclibs3-3.0.4-1.fc29 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HBE2SJSXG7J4XYLJ2H6HC2VPPOG2OMUN/
[SECURITY] Fedora 30 Update: php-robrichards-xmlseclibs3-3.0.4-1.fc30 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AB34ILMJ67CUROBOR6YPKB46VHXLOAJ4/
[SECURITY] Fedora 31 Update: php-robrichards-xmlseclibs3-3.0.4-1.fc31 - package-announce - Fedora Mailing-Lists
-
https://seclists.org/bugtraq/2019/Nov/8
Bugtraq: [SECURITY] [DSA 4560-1] simplesamlphp security updateIssue Tracking;Mailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCSR3V6LNWJAD37VQB6M2K7P4RQSCVFG/
[SECURITY] Fedora 32 Update: php-robrichards-xmlseclibs1-1.4.3-1.fc32 - package-announce - Fedora Mailing-Lists
-
https://github.com/robrichards/xmlseclibs/commit/0a53d3c3aa87564910cae4ed01416441d3ae0db5
Release 3.0.4. Security release for CVE-2019-3465 · robrichards/xmlseclibs@0a53d3c · GitHubPatch
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KID7C4AZPYYIZQIPSLANP4R2RQR6YK3/
[SECURITY] Fedora 31 Update: php-robrichards-xmlseclibs-2.1.1-1.fc31 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BBKVDUZ7G5ZOUO4BFJWLNJ6VOKBQJX5U/
[SECURITY] Fedora 31 Update: php-robrichards-xmlseclibs1-1.4.3-1.fc31 - package-announce - Fedora Mailing-Lists
Jump to