CVE-2018-0489 — Improper Verification of Cryptographic Signature in Xmltooling-c
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 47.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 27
Latest updateMay 14
Description
Shibboleth XMLTooling-C before 1.6.4, as used in Shibboleth Service Provider before 2.6.1.4 on Windows and other products, mishandles digital signatures of user data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via crafted XML data. NOTE: this issue exists because of an incomplete fix for CVE-2018-0486.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5
Affected Packages3 packages
Also affects: Debian Linux 7.0, 8.0, 9.0
Patches
🔴Vulnerability Details
3📋Vendor Advisories
2💬Community
4Bugzilla▶
CVE-2017-15137 atomic-openshift: image import whitelist can be bypassed by creating an imagestream or using oc tag↗2018-04-11
Bugzilla▶
CVE-2017-15138 atomic-openshift: cluster-reader can escalate to creating builds via webhooks in any project↗2018-04-11
Bugzilla▶
CVE-2018-0489 openSAML: Mishandling of comments in SAML content can lead to bypass of signature verification [fedora-all]↗2018-03-01
Bugzilla▶
CVE-2018-0489 openSAML: Mishandling of comments in SAML content can lead to bypass of signature verification↗2018-02-27