Unrated severityNVD Advisory· Published Sep 29, 2009· Updated Apr 23, 2026
CVE-2009-3474
CVE-2009-3474
Description
OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.
Affected products
14cpe:2.3:a:internet2:xmltooling:1.0.1:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:internet2:xmltooling:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:xmltooling:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:xmltooling:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:xmltooling:1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:internet2:shibboleth-sp:1.3.1:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:internet2:shibboleth-sp:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:shibboleth-sp:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:shibboleth-sp:1.3b:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:shibboleth-sp:1.3f:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:shibboleth-sp:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:shibboleth-sp:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:shibboleth-sp:2.2:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- shibboleth.internet2.edu/secadv/secadv_20090817a.txtnvdPatchVendor Advisory
- www.debian.org/security/2009/dsa-1895nvdPatch
- www.debian.org/security/2009/dsa-1896nvdPatch
- www.securityfocus.com/bid/36516nvdPatch
- secunia.com/advisories/36855nvdVendor Advisory
- secunia.com/advisories/36868nvdVendor Advisory
- secunia.com/advisories/36876nvdVendor Advisory
- bugs.internet2.edu/jira/browse/CPPOST-28nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/53474nvd
News mentions
0No linked articles in our index yet.