Unrated severityNVD Advisory· Published Sep 29, 2009· Updated Jun 16, 2026
CVE-2009-3474
CVE-2009-3474
Description
OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.
Affected products
17cpe:2.3:a:internet2:shibboleth-sp:1.3.1:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:internet2:shibboleth-sp:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:shibboleth-sp:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:shibboleth-sp:1.3b:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:shibboleth-sp:1.3f:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:shibboleth-sp:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:shibboleth-sp:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:shibboleth-sp:2.2:*:*:*:*:*:*:*
cpe:2.3:a:internet2:xmltooling:1.0.1:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:internet2:xmltooling:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:xmltooling:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:xmltooling:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:internet2:xmltooling:1.2.0:*:*:*:*:*:*:*
- (no CPE)range: <1.2.1
- Range: <2.2.1
Patches
Vulnerability mechanics
References
9- shibboleth.internet2.edu/secadv/secadv_20090817a.txtnvdPatchVendor Advisory
- www.debian.org/security/2009/dsa-1895nvdPatch
- www.debian.org/security/2009/dsa-1896nvdPatch
- www.securityfocus.com/bid/36516nvdPatch
- secunia.com/advisories/36855nvdVendor Advisory
- secunia.com/advisories/36868nvdVendor Advisory
- secunia.com/advisories/36876nvdVendor Advisory
- bugs.internet2.edu/jira/browse/CPPOST-28nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/53474nvd
News mentions
0No linked articles in our index yet.