CVE-2021-33054 — Improper Verification of Cryptographic Signature in Sogo

CWE-347 — Improper Verification of Cryptographic Signature5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 46.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Alinto Sogo Inverse Sogo Debian Linux

Timeline

PublishedJun 4

Latest updateMay 24

Description

SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDinverse/sogo2.0.6 — 2.4.1+1

▶Debianalinto/sogo< 5.0.1-4+deb11u1+3

Also affects: Debian Linux 10.0, 11.0, 9.0

🔴Vulnerability Details

GHSA

GHSA-5x58-gqg4-wfvq: SOGo 2↗2022-05-24

▶

OSV

CVE-2021-33054: SOGo 2↗2021-06-04

▶

CVEList

CVE-2021-33054: SOGo 2↗2021-06-04

▶

📋Vendor Advisories

Debian

CVE-2021-33054: sogo - SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the sig...↗2021

▶