Moderate severityNVD Advisory· Published Jul 8, 2015· Updated Jun 17, 2026
CVE-2015-1796
CVE-2015-1796
Description
The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.opensaml:opensamlMaven | < 2.6.5 | 2.6.5 |
edu.internet2.middleware:shibboleth-identityproviderMaven | < 2.4.4 | 2.4.4 |
Affected products
4- ghsa-coords2 versions
< 2.4.4+ 1 more
- (no CPE)range: < 2.4.4
- (no CPE)range: < 2.6.5
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-78fq-w796-q537ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-1796ghsaADVISORY
- shibboleth.net/community/advisories/secadv_20150225.txtnvdVendor AdvisoryWEB
- rhn.redhat.com/errata/RHSA-2015-1176.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2015-1177.htmlnvdWEB
- www.securityfocus.com/bid/75370nvd
News mentions
0No linked articles in our index yet.