CVE-2011-1411 — Improper Authentication in Shibboleth-identity-provider

CWE-287 — Improper Authentication8 documents6 sources

Severity

5.8MEDIUMNVD

EPSS

0.3%

top 48.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Shibboleth Shibboleth-identity-provider Shibboleth Opensaml

Timeline

PublishedSep 2

Latest updateMay 17

Description

Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages2 packages

▶NVDshibboleth/opensaml4 versions+3

▶NVDshibboleth/shibboleth-identity-provider2.3.1+10

🔴Vulnerability Details

GHSA

Improper Authentication in OpenSAML↗2022-05-17

▶

OSV

Improper Authentication in OpenSAML↗2022-05-17

▶

CVEList

CVE-2011-1411: Shibboleth OpenSAML library 2↗2011-09-02

▶

📄Research Papers

arXiv

XML Signature Wrapping Still Considered Harmful: A Case Study on the Personal Health Record in Germany↗2021-06-19

▶

💬Community

Bugzilla

CVE-2012-4418 axis2: vulnerable to XML signature wrapping attacks↗2012-09-12

▶

Bugzilla

CVE-2011-1411 opensaml: vulnerable to XML signature wrapping attacks [fedora-all]↗2011-07-25

▶

Bugzilla

CVE-2011-1411 opensaml: vulnerable to XML signature wrapping attacks↗2011-07-25

▶