CVE-2021-33054

NameCVE-2021-33054
DescriptionSOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2707-1
NVD severitymedium
Debian Bugs989479

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sogo (PTS)stretch3.2.6-2vulnerable
stretch (security)3.2.6-2+deb9u1fixed
buster4.0.7-1+deb10u1vulnerable
bullseye5.0.1-4vulnerable
bookworm, sid5.1.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sogosourcestretch3.2.6-2+deb9u1DLA-2707-1
sogosource(unstable)5.1.1-1989479

Notes

https://www.sogo.nu/news/2021/saml-vulnerability.html
https://blogs.akamai.com/2021/06/saml-implementation-vulnerability-impacting-some-akamai-services.html
https://blogs.akamai.com/2021/06/akamai-eaa-impersonation-vulnerability---a-deep-dive.html
https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html
Introduced by: https://github.com/inverse-inc/sogo/commit/5487f34b9ee9b9639e3f1d4a7abf4fad2d240d66 (SOGo-2.0.5)
Fixed by: https://github.com/inverse-inc/sogo/commit/e53636564680ac0df11ec898304bc442908ba746 (SOGo-5.1.1)
CVE is assigned for the SOGo vulnerability regarding the lasso usage.

Search for package or bug name: Reporting problems