CVE-2015-5372
Published Sep 28, 2015
Last updated 6 years ago
Overview
- Description
- The SAML 2.0 implementation in AdNovum nevisAuth 4.13.0.0 before 4.18.3.1, when using SAML POST-Binding, does not match all attributes of the X.509 certificate embedded in the assertion against the certificate from the identity provider (IdP), which allows remote attackers to inject arbitrary SAML assertions via a crafted certificate.
- Source
- cve@mitre.org
- NVD status
- Modified
Social media
- Hype score
- Not currently trending
Risk scores
CVSS 2.0
- Type
- Primary
- Base score
- 5
- Impact score
- 2.9
- Exploitability score
- 10
- Vector string
- AV:N/AC:L/Au:N/C:N/I:P/A:N
Weaknesses
- nvd@nist.gov
- CWE-287
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:adnovum:nevisauth:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4C42D45F-BB76-4B41-A867-B0C2E777A84B",
"versionEndIncluding": "4.18.3.0"
}
],
"operator": "OR"
}
]
}
]