Miggo Logo
Miggo Vulnerability Database
CVE-2015-1796

CVE-2015-1796:
Improper Certificate Validation in Shibboleth Identity Provider and OpenSAML

4.3

CVSS Score

Basic Information

CVE ID
CVE-2015-1796
GHSA ID
GHSA-78fq-w796-q537
EPSS Score
0.38439%
CWE
CWE-295
Published
5/17/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.opensaml:opensamlmaven<= 2.6.42.6.5
edu.internet2.middleware:shibboleth-identityprovidermaven<= 2.4.32.4.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from PKIX trust engine implementations that: 1) Failed to require at least one trusted name match 2) Didn't implicitly trust the entityID itself. The core vulnerable path involves the credential validation entry point (PKIXX509CredentialTrustEngine.validate()) and the metadata-driven name resolution (MetadataPKIXValidationInfoResolver.resolve()). These would appear in stack traces during certificate validation when processing SAML messages with KeyAuthority-trusted certificates lacking proper name constraints.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** PKIX trust *n*in*s in S*i**ol*t* I**ntity Provi**r ***or* *.*.* *n* Op*nS*ML J*v* (Op*nS*ML-J) ***or* *.*.* trust **n*i**t* X.*** *r***nti*ls w**n no trust** n*m*s *r* *v*il**l* *or t** *ntityI*, w*i** *llows r*mot* *tt**k*rs to imp*rson*t* *n *n

Reasoning

T** vuln*r**ility st*ms *rom PKIX trust *n*in* impl*m*nt*tions t**t: *) **il** to r*quir* *t l**st on* trust** n*m* m*t** *) *i*n't impli*itly trust t** *ntityI* its*l*. T** *or* vuln*r**l* p*t* involv*s t** *r***nti*l `v*li**tion` *ntry point (`PKIX