OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2009-09-29T23:00:00

Updated: 2024-08-07T06:31:10.133Z

Reserved: 2009-09-29T00:00:00

Link: CVE-2009-3474

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2009-09-29T23:30:00.217

Modified: 2024-11-21T01:07:27.073

Link: CVE-2009-3474

cve-icon Redhat

No data.