製品・ソフトウェアに関する情報

JVN脆弱性詳細

複数の CA SiteMinder 製品における他のユーザを偽装される脆弱性

Title	複数の CA SiteMinder 製品における他のユーザを偽装される脆弱性
Summary	CA SiteMinder Federation (FSS/Standalone)、Agent for SharePoint および SiteMinder for Secure Proxy Server は、SAML ステートメント用の XML 署名を適切に検証しないため、他のユーザに偽装される、および権限を取得される脆弱性が存在します。
Possible impacts	第三者により、他のユーザに偽装される、および権限を取得される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	March 19, 2013, midnight
Registration Date	March 25, 2013, 7:07 p.m.
Last Update	March 25, 2013, 7:07 p.m.

Affected System

CA Technologies

CA SiteMinder Agent for SharePoint 2010

CA SiteMinder Federation (FSS) 12.0

CA SiteMinder Federation (FSS) 12.5

CA SiteMinder Federation (FSS) r6

CA SiteMinder Federation (Standalone) 12.0

CA SiteMinder Federation (Standalone) 12.1

CA SiteMinder for Secure Proxy Server 12.0

CA SiteMinder for Secure Proxy Server 12.5

CA SiteMinder for Secure Proxy Server 6.0

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-2279	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2279
National Vulnerability Database (NVD)
2	CVE-2013-2279	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2279

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
CA
1	CA SiteMinder	http://www.ca.com/jp/products/detail/CA-SiteMinder/benefits.aspx
CA SUPPORT ONLINE
2	CA20130319-01: Security Notice for SiteMinder products using SAML	https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=%7B53E50CBD-6F6A-4B3A-85FF-36E44ABED8D5%7D

Change Log

No	Changed Details	Date of change
0	[2013年03月25日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2013-2279

Summary	CA SiteMinder Federation (FSS) 12.5, 12.0, and r6; Federation (Standalone) 12.1 and 12.0; Agent for SharePoint 2010; and SiteMinder for Secure Proxy Server 6.0, 12.0, and 12.5 does not properly verify XML signatures for SAML statements, which allows remote attackers to spoof other users and gain privileges.
Publication Date	March 22, 2013, 2:55 a.m.
Registration Date	Jan. 26, 2021, 3:38 p.m.
Last Update	Nov. 21, 2024, 10:51 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:siteminder_federation:r6.0::::::::
cpe:2.3:a:siteminder_agent_for_sharepoint:2010::::::::
cpe:2.3:a:siteminder_federation:12.0:-:standalone::::::
cpe:2.3:a:siteminder_federation:12.0::::::::
cpe:2.3:a:siteminder_for_secure_proxy_server:6.0::::::::
cpe:2.3:a:siteminder_federation:12.1:-:standalone::::::
cpe:2.3:a:siteminder_for_secure_proxy_server:12.0::::::::
cpe:2.3:a:siteminder_for_secure_proxy_server:12.5::::::::
cpe:2.3:a:siteminder_federation:12.5::::::::

Related information, measures and tools

No	URL	タグ
1	http://archives.neohapsis.com/archives/bugtraq/2013-03/0118.html
2	http://archives.neohapsis.com/archives/bugtraq/2013-03/0118.html
3	http://secunia.com/advisories/52610	Vendor Advisory
4	http://secunia.com/advisories/52610	Vendor Advisory
5	http://www.securityfocus.com/bid/58609
6	http://www.securityfocus.com/bid/58609
7	https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=%7B53E50CBD-6F6A-4B3A-85FF-36E44ABED8D5%7D
8	https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=%7B53E50CBD-6F6A-4B3A-85FF-36E44ABED8D5%7D

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:siteminder_federation:r6.0::::::::
cpe:2.3:a:siteminder_agent_for_sharepoint:2010::::::::
cpe:2.3:a:siteminder_federation:12.0:-:standalone::::::
cpe:2.3:a:siteminder_federation:12.0::::::::
cpe:2.3:a:siteminder_for_secure_proxy_server:6.0::::::::
cpe:2.3:a:siteminder_federation:12.1:-:standalone::::::
cpe:2.3:a:siteminder_for_secure_proxy_server:12.0::::::::
cpe:2.3:a:siteminder_for_secure_proxy_server:12.5::::::::
cpe:2.3:a:siteminder_federation:12.5::::::::