Attachment 225495 Details for Bug 256374 – vuxml entry

[patch] vuxml entry

sogo.patch (text/plain), 1.50 KB, created by rob2g2 on 2021-06-02 11:58:05 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: rob2g2

Created: 2021-06-02 11:58:05 UTC

Size: 1.50 KB

patch

obsolete

>*** vuln.xml.orig	Wed Jun 2 13:42:32 2021
>--- vuln.xml	Wed Jun 2 13:48:50 2021
>***************
>*** 78 ****
>--- 79,119 ----
>+ <vuln vid="69815a1d-c31d-11eb-9633-b42e99a1b9c3">
>+ <topic>SOGo -- SAML user authentication impersonation</topic>
>+ <affects>
>+ <package>
>+ 	<name>sogo</name>
>+ 	<range><lt>5.1.1</lt></range>
>+ </package>
>+ <package>
>+ 	<name>sogo-activesync</name>
>+ 	<range><lt>5.1.1</lt></range>
>+ </package>
>+ <package>
>+ 	<name>sogo2</name>
>+ 	<range><lt>2.4.1</lt></range>
>+ </package>
>+ <package>
>+ 	<name>sogo2-activesync</name>
>+ 	<range><lt>2.4.1</lt></range>
>+ </package>
>+ </affects>
>+ <description>
>+ <body xmlns="http://www.w3.org/1999/xhtml">
>+ 	sogo.nu reports:
>+ 	<blockquote cite="https://www.sogo.nu/news/2021/saml-vulnerability.html">
>+ 	 SOGo was not validating the signatures of any SAML assertions it received.
>+ 	 This means any actor with network access to the deployment could impersonate
>+ 	 users when SAML was the authentication method.
>+ 	</blockquote>
>+ </body>
>+ </description>
>+ <references>
>+ <cvename>CVE-2021-33054</cvename>
>+ <url>https://www.sogo.nu/news/2021/saml-vulnerability.html</url>
>+ <url>https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html</url>
>+ </references>
>+ <dates>
>+ <discovery>2021-06-01</discovery>
>+ <entry>2021-06-02</entry>
>+ </dates>
>+ </vuln>
>+

Actions: View | Diff

Attachments on bug 256374: 225495