CVE-2018-0489
MEDIUMShibboleth XMLTooling-C < 1.6.4 - Digital Signature Verification Bypass via Crafted XML Data
Title source: llmDescription
Shibboleth XMLTooling-C before 1.6.4, as used in Shibboleth Service Provider before 2.6.1.4 on Windows and other products, mishandles digital signatures of user data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via crafted XML data. NOTE: this issue exists because of an incomplete fix for CVE-2018-0486.
References (6)
Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1040435
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/103172
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2018/dsa-4126
Patch, Vendor Advisory x_refsource_confirm
https://shibboleth.net/community/advisories/secadv_20180227.txt
Third Party Advisory x_refsource_confirm
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-003.txt
Issue Tracking mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/02/msg00031.html
Scores
CVSS v3
6.5
EPSS
0.0062
EPSS Percentile
70.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-347
Status
published
Products (5)
arubanetworks/clearpass
6.6.0 - 6.6.9
debian/debian_linux
7.0
debian/debian_linux
8.0
debian/debian_linux
9.0
shibboleth/xmltooling-c
< 1.6.4
Published
Feb 27, 2018
Tracked Since
Feb 18, 2026