CVE-2019-3465

{"id": "CVE-2019-3465", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2019-11-07T20:15:11.090", "references": [{"url": "https://github.com/robrichards/xmlseclibs/commit/0a53d3c3aa87564910cae4ed01416441d3ae0db5", "tags": ["Patch"], "source": "security@debian.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00003.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@debian.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7KID7C4AZPYYIZQIPSLANP4R2RQR6YK3/", "source": "security@debian.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AB34ILMJ67CUROBOR6YPKB46VHXLOAJ4/", "source": "security@debian.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BBKVDUZ7G5ZOUO4BFJWLNJ6VOKBQJX5U/", "source": "security@debian.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BNFMY5RRLU63P25HEBVDO5KAVI7TX7JV/", "source": "security@debian.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ESKJTWLE7QZBQ3EKMYXKMBQG3JDEJWM6/", "source": "security@debian.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HBE2SJSXG7J4XYLJ2H6HC2VPPOG2OMUN/", "source": "security@debian.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MAWOVYLZKYDCQBLQEJCFAAD3KQTBPHXE/", "source": "security@debian.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCSR3V6LNWJAD37VQB6M2K7P4RQSCVFG/", "source": "security@debian.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XBSSRV5Q7JFCYO46A3EN624UZ4KXFQ2M/", "source": "security@debian.org"}, {"url": "https://seclists.org/bugtraq/2019/Nov/8", "tags": ["Issue Tracking", "Mailing List", "Third Party Advisory"], "source": "security@debian.org"}, {"url": "https://simplesamlphp.org/security/201911-01", "tags": ["Third Party Advisory"], "source": "security@debian.org"}, {"url": "https://www.debian.org/security/2019/dsa-4560", "tags": ["Third Party Advisory"], "source": "security@debian.org"}, {"url": "https://www.tenable.com/security/tns-2019-09", "source": "security@debian.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message."}, {"lang": "es", "value": "Rob Richards XmlSecLibs, todas las versiones anteriores a la v3.0.3, como es usada por ejemplo mediante SimpleSAMLphp, realiz\u00f3 una comprobaci\u00f3n incorrecta de las firmas criptogr\u00e1ficas en los mensajes XML, permitiendo a un atacante autenticado suplantar a otros o elevar los privilegios por medio de la creaci\u00f3n de un mensaje XML dise\u00f1ado."}], "lastModified": "2023-11-07T03:09:47.397", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xmlseclibs_project:xmlseclibs:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D32024E5-AA5C-4F2B-9F19-44D8D05F5971", "versionEndIncluding": "1.4.2", "versionStartIncluding": "1.0.0"}, {"criteria": "cpe:2.3:a:xmlseclibs_project:xmlseclibs:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4A85E4A-6FFF-49F2-9940-6A89E19BEDD5", "versionEndIncluding": "2.1.0", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:xmlseclibs_project:xmlseclibs:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86221F77-66FC-4220-97D2-FC3F0E384E15", "versionEndIncluding": "3.0.3", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43"}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:simplesamlphp:simplesamlphp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BFB2AFBB-CAB6-4093-BF77-6BA30C3F1E5D", "versionEndIncluding": "1.17.6"}], "operator": "OR"}]}], "sourceIdentifier": "security@debian.org"}