search

akash-k-ephesoft / test-1

Other
0 stars 0 forks source link

opensaml-2.6.1.jar: 2 vulnerabilities (highest severity is: 5.9) #82

Open mend-bolt-for-github[bot] opened 2 years ago

mend-bolt-for-github[bot] commented 2 years ago
Vulnerable Library - opensaml-2.6.1.jar

The OpenSAML-J library provides tools to support developers working with the Security Assertion Markup Language (SAML).

Library home page: http://www.internet2.edu/

Path to vulnerable library: /lib/opensaml-2.6.1.jar

Found in HEAD commit: bafe36287e51aaacdb1ab47c78bd429757cdc4f2

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (opensaml version) Remediation Possible**
CVE-2014-3603 Medium 5.9 opensaml-2.6.1.jar Direct 2.6.4
CVE-2015-1796 Medium 5.3 opensaml-2.6.1.jar Direct org.opensaml:opensaml - 2.6.5

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2014-3603 ### Vulnerable Library - opensaml-2.6.1.jar

The OpenSAML-J library provides tools to support developers working with the Security Assertion Markup Language (SAML).

Library home page: http://www.internet2.edu/

Path to vulnerable library: /lib/opensaml-2.6.1.jar

Dependency Hierarchy: - :x: **opensaml-2.6.1.jar** (Vulnerable Library)

Found in HEAD commit: bafe36287e51aaacdb1ab47c78bd429757cdc4f2

Found in base branch: main

### Vulnerability Details

The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Publish Date: 2019-04-04

URL: CVE-2014-3603

### CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3603

Release Date: 2019-04-04

Fix Resolution: 2.6.4

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2015-1796 ### Vulnerable Library - opensaml-2.6.1.jar

The OpenSAML-J library provides tools to support developers working with the Security Assertion Markup Language (SAML).

Library home page: http://www.internet2.edu/

Path to vulnerable library: /lib/opensaml-2.6.1.jar

Dependency Hierarchy: - :x: **opensaml-2.6.1.jar** (Vulnerable Library)

Found in HEAD commit: bafe36287e51aaacdb1ab47c78bd429757cdc4f2

Found in base branch: main

### Vulnerability Details

The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.

Publish Date: 2015-07-08

URL: CVE-2015-1796

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-1796

Release Date: 2015-07-08

Fix Resolution: org.opensaml:opensaml - 2.6.5

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)