CVE-2018-0486
First published: Sat Jan 13 2018(Updated: )
Shibboleth XMLTooling-C before 1.6.3, as used in Shibboleth Service Provider before 2.6.0 on Windows and other products, mishandles digital signatures of user attribute data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via a crafted DTD.
Credit: security@debian.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/xmltooling | 3.0.4-1+deb10u1 3.0.4-1+deb10u2 3.2.0-3+deb11u1 3.2.3-1+deb12u1 3.2.4-2 | |
| Shibboleth XMLTooling-C | <1.6.3 | |
| Debian Debian Linux | =7.0 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://shibboleth.net/community/advisories/secadv_20180112.txt
- https://issues.shibboleth.net/jira/browse/CPPXT-127
- https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commit;h=a02314e96d6746d29c5697b504d37f2e04a6e6cd
- https://security-tracker.debian.org/tracker/CVE-2018-0486
- http://www.securitytracker.com/id/1040177
- https://lists.debian.org/debian-lts-announce/2018/01/msg00016.html
- https://lists.debian.org/debian-security-announce/2018/msg00007.html
- https://www.debian.org/security/2018/dsa-4085
Frequently Asked Questions
What is CVE-2018-0486?
CVE-2018-0486 is a vulnerability that affects Shibboleth Service Provider before version 2.6.0 on Windows and other products due to mishandling of digital signatures of user attribute data.
What is the severity of CVE-2018-0486?
The severity of CVE-2018-0486 is medium, with a severity value of 6.5.
How does CVE-2018-0486 impact Shibboleth XMLTooling-C?
CVE-2018-0486 impacts Shibboleth XMLTooling-C before version 1.6.3 by allowing remote attackers to obtain sensitive information or conduct impersonation attacks by using a crafted DTD.
What is the recommended remedy for CVE-2018-0486?
The recommended remedy for CVE-2018-0486 is to update to version 3.0.4-1+deb10u1, 3.0.4-1+deb10u2, 3.2.0-3+deb11u1, 3.2.3-1+deb12u1, or 3.2.4-2 of the xmltooling package.
Where can I find more information about CVE-2018-0486?
You can find more information about CVE-2018-0486 in the Shibboleth Security Advisory (https://shibboleth.net/community/advisories/secadv_20180112.txt), the Shibboleth Jira (https://issues.shibboleth.net/jira/browse/CPPXT-127), and the commit in the cpp-xmltooling repository (https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commit;h=a02314e96d6746d29c5697b504d37f2e04a6e6cd).
- collector/security-tracker-debian
- collector/nvd-index
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/description
- agent/event
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- vendor/shibboleth
- canonical/shibboleth xmltooling-c
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/7.0
- version/debian debian linux/8.0
- version/debian debian linux/9.0