Vulnerability Description
The default configuration of the auth/saml plugin in Mahara before 1.4.2 sets the "Match username attribute to Remote username" option to false, which allows remote SAML IdP servers to spoof users of other SAML IdP servers by using the same internal username.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian | Debian Linux | 6.0 |
| Mahara | Mahara | <= 1.4.1 |
Related Weaknesses (CWE)
References
- http://gitorious.org/mahara/mahara/commit/f07be6020e70fa8f53cd77fdcd63e7fd7ff8aaIssue TrackingPatch
- http://www.debian.org/security/2012/dsa-2467Third Party Advisory
- http://www.openwall.com/lists/oss-security/2012/05/11/9Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2012/05/12/4Mailing ListThird Party Advisory
- https://bugs.launchpad.net/mahara/+bug/932909Issue Tracking
- http://gitorious.org/mahara/mahara/commit/f07be6020e70fa8f53cd77fdcd63e7fd7ff8aaIssue TrackingPatch
- http://www.debian.org/security/2012/dsa-2467Third Party Advisory
- http://www.openwall.com/lists/oss-security/2012/05/11/9Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2012/05/12/4Mailing ListThird Party Advisory
- https://bugs.launchpad.net/mahara/+bug/932909Issue Tracking
FAQ
What is CVE-2012-2351?
CVE-2012-2351 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The default configuration of the auth/saml plugin in Mahara before 1.4.2 sets the "Match username attribute to Remote username" option to false, which allows remote SAML IdP servers to spoof users of ...
How severe is CVE-2012-2351?
CVE-2012-2351 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-2351?
Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Mahara Mahara.