CVE-2021-33054

SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)

Published: Jun 4, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-33054
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-347

Affected Software
References

Software	From	Fixed in
inverse / sogo	3.0.0	5.1.1
inverse / sogo	2.0.6	2.4.1
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x
debian / debian_linux	11.0	11.0.x

https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html
https://github.com/inverse-inc/sogo/blob/master/CHANGELOG.md
https://lists.debian.org/debian-lts-announce/2021/07/msg00007.html
https://www.debian.org/security/2021/dsa-5029
https://www.sogo.nu/news.html

Vulnerability Database

CVE-2021-33054