CVE-2021-33054

NameCVE-2021-33054
DescriptionSOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not valida ...
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2707-1
Debian Bugs989479

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sogo (PTS)stretch3.2.6-2vulnerable
stretch (security)3.2.6-2+deb9u1fixed
buster4.0.7-1+deb10u1vulnerable
bullseye5.0.1-4vulnerable
sid, bookworm5.2.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sogosourcestretch3.2.6-2+deb9u1DLA-2707-1
sogosource(unstable)5.1.1-1989479

Notes

https://www.sogo.nu/news/2021/saml-vulnerability.html
https://blogs.akamai.com/2021/06/saml-implementation-vulnerability-impacting-some-akamai-services.html
https://blogs.akamai.com/2021/06/akamai-eaa-impersonation-vulnerability---a-deep-dive.html
https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html
Introduced by: https://github.com/inverse-inc/sogo/commit/5487f34b9ee9b9639e3f1d4a7abf4fad2d240d66 (SOGo-2.0.5)
Fixed by: https://github.com/inverse-inc/sogo/commit/e53636564680ac0df11ec898304bc442908ba746 (SOGo-5.1.1)
CVE is assigned for the SOGo vulnerability regarding the lasso usage.

Search for package or bug name: Reporting problems