Vulnerability Details CVE-2021-33054
SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 49.0%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html
- https://github.com/inverse-inc/sogo/blob/master/CHANGELOG.md
- https://lists.debian.org/debian-lts-announce/2021/07/msg00007.html
- https://www.debian.org/security/2021/dsa-5029
- https://www.sogo.nu/news.html
- https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html
- https://github.com/inverse-inc/sogo/blob/master/CHANGELOG.md
- https://lists.debian.org/debian-lts-announce/2021/07/msg00007.html
- https://www.debian.org/security/2021/dsa-5029
- https://www.sogo.nu/news.html
Products affected by CVE-2021-33054
-
cpe:2.3:a:inverse:sogo:2.0.6
-
cpe:2.3:a:inverse:sogo:2.0.7
-
cpe:2.3:a:inverse:sogo:2.1.0
-
cpe:2.3:a:inverse:sogo:2.1.1
-
cpe:2.3:a:inverse:sogo:2.2.0
-
cpe:2.3:a:inverse:sogo:2.2.1
-
cpe:2.3:a:inverse:sogo:2.2.10
-
cpe:2.3:a:inverse:sogo:2.2.11
-
cpe:2.3:a:inverse:sogo:2.2.12
-
cpe:2.3:a:inverse:sogo:2.2.13
-
cpe:2.3:a:inverse:sogo:2.2.14
-
cpe:2.3:a:inverse:sogo:2.2.15
-
cpe:2.3:a:inverse:sogo:2.2.16
-
cpe:2.3:a:inverse:sogo:2.2.17
-
cpe:2.3:a:inverse:sogo:2.2.2
-
cpe:2.3:a:inverse:sogo:2.2.3
-
cpe:2.3:a:inverse:sogo:2.2.4
-
cpe:2.3:a:inverse:sogo:2.2.5
-
cpe:2.3:a:inverse:sogo:2.2.6
-
cpe:2.3:a:inverse:sogo:2.2.7
-
cpe:2.3:a:inverse:sogo:2.2.8
-
cpe:2.3:a:inverse:sogo:2.2.9
-
cpe:2.3:a:inverse:sogo:2.3.0
-
cpe:2.3:a:inverse:sogo:2.3.1
-
cpe:2.3:a:inverse:sogo:2.3.10
-
cpe:2.3:a:inverse:sogo:2.3.11
-
cpe:2.3:a:inverse:sogo:2.3.12
-
cpe:2.3:a:inverse:sogo:2.3.13
-
cpe:2.3:a:inverse:sogo:2.3.14
-
cpe:2.3:a:inverse:sogo:2.3.15
-
cpe:2.3:a:inverse:sogo:2.3.16
-
cpe:2.3:a:inverse:sogo:2.3.17
-
cpe:2.3:a:inverse:sogo:2.3.18
-
cpe:2.3:a:inverse:sogo:2.3.19
-
cpe:2.3:a:inverse:sogo:2.3.2
-
cpe:2.3:a:inverse:sogo:2.3.20
-
cpe:2.3:a:inverse:sogo:2.3.21
-
cpe:2.3:a:inverse:sogo:2.3.22
-
cpe:2.3:a:inverse:sogo:2.3.23
-
cpe:2.3:a:inverse:sogo:2.3.3
-
cpe:2.3:a:inverse:sogo:2.3.4
-
cpe:2.3:a:inverse:sogo:2.3.5
-
cpe:2.3:a:inverse:sogo:2.3.6
-
cpe:2.3:a:inverse:sogo:2.3.7
-
cpe:2.3:a:inverse:sogo:2.3.8
-
cpe:2.3:a:inverse:sogo:2.3.9
-
cpe:2.3:a:inverse:sogo:3.0.0
-
cpe:2.3:a:inverse:sogo:3.0.1
-
cpe:2.3:a:inverse:sogo:3.0.2
-
cpe:2.3:a:inverse:sogo:3.1.0
-
cpe:2.3:a:inverse:sogo:3.1.1
-
cpe:2.3:a:inverse:sogo:3.1.2
-
cpe:2.3:a:inverse:sogo:3.1.3
-
cpe:2.3:a:inverse:sogo:3.1.4
-
cpe:2.3:a:inverse:sogo:3.1.5
-
cpe:2.3:a:inverse:sogo:3.2.0
-
cpe:2.3:a:inverse:sogo:3.2.1
-
cpe:2.3:a:inverse:sogo:3.2.10
-
cpe:2.3:a:inverse:sogo:3.2.2
-
cpe:2.3:a:inverse:sogo:3.2.3
-
cpe:2.3:a:inverse:sogo:3.2.4
-
cpe:2.3:a:inverse:sogo:3.2.5
-
cpe:2.3:a:inverse:sogo:3.2.6
-
cpe:2.3:a:inverse:sogo:3.2.7
-
cpe:2.3:a:inverse:sogo:3.2.8
-
cpe:2.3:a:inverse:sogo:3.2.9
-
cpe:2.3:a:inverse:sogo:4.0.0
-
cpe:2.3:a:inverse:sogo:4.0.1
-
cpe:2.3:a:inverse:sogo:4.0.2
-
cpe:2.3:a:inverse:sogo:4.0.3
-
cpe:2.3:a:inverse:sogo:4.0.4
-
cpe:2.3:a:inverse:sogo:4.0.5
-
cpe:2.3:a:inverse:sogo:4.0.6
-
cpe:2.3:a:inverse:sogo:4.0.7
-
cpe:2.3:a:inverse:sogo:4.0.8
-
cpe:2.3:a:inverse:sogo:4.1.0
-
cpe:2.3:a:inverse:sogo:4.1.1
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:debian:debian_linux:11.0
-
cpe:2.3:o:debian:debian_linux:9.0