CVE-2018-0486 — Improper Verification of Cryptographic Signature in Xmltooling-c
Severity
6.5MEDIUMNVD
EPSS
0.8%
top 26.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 13
Latest updateMay 14
Description
Shibboleth XMLTooling-C before 1.6.3, as used in Shibboleth Service Provider before 2.6.0 on Windows and other products, mishandles digital signatures of user attribute data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via a crafted DTD.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5
Affected Packages3 packages
Also affects: Debian Linux 7.0, 8.0, 9.0
🔴Vulnerability Details
6📋Vendor Advisories
4Red Hat▶
openSAML: Mishandling of comments in SAML content can lead to bypass of signature verification↗2018-02-27
Red Hat▶
xmltooling: impersonation attack and sensitive information disclosure in the Service Provider via crafted DTD↗2018-01-12
Debian▶
CVE-2018-0486: xmltooling - Shibboleth XMLTooling-C before 1.6.3, as used in Shibboleth Service Provider bef...↗2018
Debian▶
CVE-2018-0489: xmltooling - Shibboleth XMLTooling-C before 1.6.4, as used in Shibboleth Service Provider bef...↗2018