{ "id": "CVE-2015-5253", "sourceIdentifier": "secalert@redhat.com", "published": "2015-11-18T16:59:00.097", "lastModified": "2024-11-21T02:32:39.170", "vulnStatus": "Modified", "cveTags": [], "descriptions": [ { "lang": "en", "value": "The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a \"wrapping attack.\"" }, { "lang": "es", "value": "El m\u00f3dulo Web SSO SAML en Apache CXF en versiones anteriores a 2.7.18, 3.0.x en versiones anteriores a 3.0.7 y 3.1.x en versiones anteriores a 3.1.3 permite a usuarios remotos autenticados eludir la autenticaci\u00f3n a trav\u00e9s de una respuesta SAML manipulada con una aserci\u00f3n firmada valida, relacionado con un 'wrapping attack.'" } ], "metrics": { "cvssMetricV2": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE" }, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-264" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.7.18", "matchCriteriaId": "CEC3D06E-8376-4504-89CD-6893E33E1F08" }, { "vulnerable": true, "criteria": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.0.7", "matchCriteriaId": "00A818B1-6B71-44B6-9C9E-BE96C6C5E505" }, { "vulnerable": true, "criteria": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1.0", "versionEndExcluding": "3.1.3", "matchCriteriaId": "16B9932F-0D95-4459-B236-21EE5D8F3A3E" } ] } ] } ], "references": [ { "url": "http://cxf.apache.org/security-advisories.data/CVE-2015-5253.txt.asc", "source": "secalert@redhat.com", "tags": [ "Vendor Advisory" ] }, { "url": "http://rhn.redhat.com/errata/RHSA-2016-0321.html", "source": "secalert@redhat.com", "tags": [ "Third Party Advisory" ] }, { "url": "http://www.openwall.com/lists/oss-security/2015/11/14/1", "source": "secalert@redhat.com", "tags": [ "Mailing List", "Third Party Advisory" ] }, { "url": "http://www.securitytracker.com/id/1034162", "source": "secalert@redhat.com", "tags": [ "Third Party Advisory", "VDB Entry" ] }, { "url": "https://git-wip-us.apache.org/repos/asf?p=cxf.git%3Ba=commitdiff%3Bh=845eccb6484b43ba02875c71e824db23ae4f20c0", "source": "secalert@redhat.com" }, { "url": "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E", "source": "secalert@redhat.com" }, { "url": "https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E", "source": "secalert@redhat.com" }, { "url": "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E", "source": "secalert@redhat.com" }, { "url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E", "source": "secalert@redhat.com" }, { "url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E", "source": "secalert@redhat.com" }, { "url": "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E", "source": "secalert@redhat.com" }, { "url": "http://cxf.apache.org/security-advisories.data/CVE-2015-5253.txt.asc", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Vendor Advisory" ] }, { "url": "http://rhn.redhat.com/errata/RHSA-2016-0321.html", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ] }, { "url": "http://www.openwall.com/lists/oss-security/2015/11/14/1", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Mailing List", "Third Party Advisory" ] }, { "url": "http://www.securitytracker.com/id/1034162", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory", "VDB Entry" ] }, { "url": "https://git-wip-us.apache.org/repos/asf?p=cxf.git%3Ba=commitdiff%3Bh=845eccb6484b43ba02875c71e824db23ae4f20c0", "source": "af854a3a-2127-422b-91ae-364da2661108" }, { "url": "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108" }, { "url": "https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108" }, { "url": "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108" }, { "url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108" }, { "url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108" }, { "url": "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108" } ] }