Executive Summary

Summary
Titlemahara security update
Informations
NameDSA-2467First vendor Publication2012-05-09
VendorDebianLast vendor Modification2012-05-09
Severity (Vendor) N/ARevision1

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Cvss Base Score5Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

It was discovered that Mahara, the portfolio, weblog, and resume builder, had an insecure default with regards to SAML-based authentication used with more than one SAML identity provider. Someone with control over one IdP could impersonate users from other IdP's.

For the stable distribution (squeeze), this problem has been fixed in version 1.2.6-2+squeeze4.

For the testing distribution (wheezy) and unstable distribution (sid), this problem has been fixed in version 1.4.2-1.

We recommend that you upgrade your mahara packages.

Original Source

Url : http://www.debian.org/security/2012/dsa-2467

CWE : Common Weakness Enumeration

idName
CWE-16Configuration

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:18492
 
Oval ID: oval:org.mitre.oval:def:18492
Title: DSA-2467-1 mahara - insecure defaults
Description: It was discovered that Mahara, the portfolio, weblog, and resume builder, had an insecure default with regards to SAML-based authentication used with more than one SAML identity provider. Someone with control over one IdP could impersonate users from other IdP's.
Family: unix Class: patch
Reference(s): DSA-2467-1
CVE-2012-2351
Version: 7
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): mahara
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application74

OpenVAS Exploits

DateDescription
2012-05-31Name : Debian Security Advisory DSA 2467-1 (mahara)
File : nvt/deb_2467_1.nasl

Nessus® Vulnerability Scanner

DateDescription
2012-05-10Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2467.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 11:31:03
  • Multiple Updates