CVE-2015-0851 - XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not prop

CVE-2015-0851

Summary

XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not properly handle integer conversion exceptions, which allows remote attackers to cause a denial of service (crash) via schema-invalid XML data.

References

http://shibboleth.net/community/advisories/secadv_20150721.txt
http://www.debian.org/security/2015/dsa-3321
http://www.securityfocus.com/bid/76134
https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commitdiff;h=2d795c731e6729309044607154978696a87fd900

Vulnerable Configurations

cpe:2.3:a:xmltooling_project:xmltooling:1.5.4:*:*:*:*:*:*:*
cpe:2.3:a:xmltooling_project:xmltooling:1.5.4:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 28-11-2016 - 19:17)
Impact:
Exploitability:

CWE

CWE-189

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:N/A:P

refmap via4

bid	76134
confirm	http://shibboleth.net/community/advisories/secadv_20150721.txt https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commitdiff;h=2d795c731e6729309044607154978696a87fd900
debian	DSA-3321

Last major update

28-11-2016 - 19:17

Published

12-08-2015 - 14:59

Last modified

28-11-2016 - 19:17