CVE-2015-1796
Improper Certificate Validation in Shibboleth Identity Provider and OpenSAML
EPSS 0.17%
Description
The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.
How to fix CVE-2015-1796
To remediate CVE-2015-1796, upgrade the affected package to a fixed version below.
- Maven/edu.internet2.middleware:shibboleth-identityprovider—upgrade to 2.4.4 or later
- —upgrade to 2.6.5 or later
Is CVE-2015-1796 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.4.4
- from 0, < 2.6.5