CVE-2021-33054

NameCVE-2021-33054
DescriptionSOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs989479

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sogo (PTS)stretch3.2.6-2vulnerable
buster4.0.7-1+deb10u1vulnerable
bullseye5.0.1-4vulnerable
sid5.1.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sogosource(unstable)(unfixed)989479

Notes

https://www.sogo.nu/news/2021/saml-vulnerability.html
https://blogs.akamai.com/2021/06/saml-implementation-vulnerability-impacting-some-akamai-services.html
https://blogs.akamai.com/2021/06/akamai-eaa-impersonation-vulnerability---a-deep-dive.html
https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html
Introduced by: https://github.com/inverse-inc/sogo/commit/5487f34b9ee9b9639e3f1d4a7abf4fad2d240d66 (SOGo-2.0.5)
Fixed by: https://github.com/inverse-inc/sogo/commit/e53636564680ac0df11ec898304bc442908ba746 (SOGo-5.1.1)
CVE is assigned for the SOGo vulnerability regarding the lasso usage.

Search for package or bug name: Reporting problems