CVE-2021-33054

NameCVE-2021-33054
DescriptionSOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2707-1, DSA-5029-1
Debian Bugs989479

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sogo (PTS)stretch (security), stretch (lts), stretch3.2.6-2+deb9u1fixed
buster (security), buster, buster (lts)4.0.7-1+deb10u2fixed
bullseye (security), bullseye5.0.1-4+deb11u1fixed
bookworm5.8.0-1fixed
sid, trixie5.11.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sogosourcestretch3.2.6-2+deb9u1DLA-2707-1
sogosourcebuster4.0.7-1+deb10u2DSA-5029-1
sogosourcebullseye5.0.1-4+deb11u1DSA-5029-1
sogosource(unstable)5.1.1-1989479

Notes

https://www.sogo.nu/news/2021/saml-vulnerability.html
https://blogs.akamai.com/2021/06/saml-implementation-vulnerability-impacting-some-akamai-services.html
https://blogs.akamai.com/2021/06/akamai-eaa-impersonation-vulnerability---a-deep-dive.html
https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html
Introduced by: https://github.com/inverse-inc/sogo/commit/5487f34b9ee9b9639e3f1d4a7abf4fad2d240d66 (SOGo-2.0.5)
Fixed by: https://github.com/inverse-inc/sogo/commit/e53636564680ac0df11ec898304bc442908ba746 (SOGo-5.1.1)
CVE is assigned for the SOGo vulnerability regarding the lasso usage.

Search for package or bug name: Reporting problems