{"api_version":"1","generated_at":"2026-05-14T16:15:38+00:00","cve":"CVE-2021-33054","urls":{"html":"https://cve.report/CVE-2021-33054","api":"https://cve.report/api/cve/CVE-2021-33054.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-33054","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-33054"},"summary":{"title":"CVE-2021-33054","description":"SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-06-04 15:15:00","updated_at":"2022-03-29 16:38:00"},"problem_types":["CWE-347"],"metrics":[],"references":[{"url":"https://www.debian.org/security/2021/dsa-5029","name":"DSA-5029","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5029-1 sogo","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/inverse-inc/sogo/blob/master/CHANGELOG.md","name":"https://github.com/inverse-inc/sogo/blob/master/CHANGELOG.md","refsource":"MISC","tags":[],"title":"sogo/CHANGELOG.md at master · inverse-inc/sogo · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00007.html","name":"[debian-lts-announce] 20210712 [SECURITY] [DLA 2707-1] sogo security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2707-1] sogo security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.sogo.nu/news.html","name":"https://www.sogo.nu/news.html","refsource":"MISC","tags":[],"title":"News","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html","name":"https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html","refsource":"MISC","tags":[],"title":"SOGo and PacketFence Impacted by SAML Implementation Vulnerabilities - The Akamai Blog","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-33054","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-33054","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"33054","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"33054","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"33054","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"33054","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"inverse","cpe5":"sogo","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-33054","qid":"178703","title":"Debian Security Update for sogo (DLA 2707-1)"},{"cve":"CVE-2021-33054","qid":"178951","title":"Debian Security Update for sogo (DSA 5029-1)"},{"cve":"CVE-2021-33054","qid":"182833","title":"Debian Security Update for sogo (CVE-2021-33054)"},{"cve":"CVE-2021-33054","qid":"690116","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for sogo (69815a1d-c31d-11eb-9633-b42e99a1b9c3)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-33054","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://www.sogo.nu/news.html","refsource":"MISC","name":"https://www.sogo.nu/news.html"},{"url":"https://github.com/inverse-inc/sogo/blob/master/CHANGELOG.md","refsource":"MISC","name":"https://github.com/inverse-inc/sogo/blob/master/CHANGELOG.md"},{"refsource":"MISC","name":"https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html","url":"https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html"},{"refsource":"MLIST","name":"[debian-lts-announce] 20210712 [SECURITY] [DLA 2707-1] sogo security update","url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00007.html"},{"refsource":"DEBIAN","name":"DSA-5029","url":"https://www.debian.org/security/2021/dsa-5029"}]}},"nvd":{"publishedDate":"2021-06-04 15:15:00","lastModifiedDate":"2022-03-29 16:38:00","problem_types":["CWE-347"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:inverse:sogo:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"5.1.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:inverse:sogo:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.6","versionEndExcluding":"2.4.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"33054","Ordinal":"208448","Title":"CVE-2021-33054","CVE":"CVE-2021-33054","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"33054","Ordinal":"1","NoteData":"SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)","Type":"Description","Title":null},{"CveYear":"2021","CveId":"33054","Ordinal":"2","NoteData":"2021-06-04","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"33054","Ordinal":"3","NoteData":"2021-12-23","Type":"Other","Title":"Modified"}]}}}