Description
SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)
References (5)
Core 5
Core References
Product x_refsource_misc
https://www.sogo.nu/news.html
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/inverse-inc/sogo/blob/master/CHANGELOG.md
Third Party Advisory x_refsource_misc
https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/07/msg00007.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2021/dsa-5029
Scores
CVSS v3
7.5
EPSS
0.0099
EPSS Percentile
57.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-347
Status
published
Products (4)
debian/debian_linux
9.0
debian/debian_linux
10.0
debian/debian_linux
11.0
inverse/sogo
2.0.6 - 2.4.1
Published
Jun 04, 2021
Tracked Since
Feb 18, 2026