OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2009-09-29T23:00:00
Updated: 2024-08-07T06:31:10.133Z
Reserved: 2009-09-29T00:00:00
Link: CVE-2009-3474
Vulnrichment
No data.
NVD
Status : Modified
Published: 2009-09-29T23:30:00.217
Modified: 2024-11-21T01:07:27.073
Link: CVE-2009-3474
Redhat
No data.