{"id":"CVE-2021-33054","details":"SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)","modified":"2026-05-18T05:55:15.261006571Z","published":"2021-06-04T15:15:07.647Z","database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"debian:debian_linux","extracted_events":[{"last_affected":"9.0"},{"last_affected":"10.0"},{"last_affected":"11.0"}]}]},"references":[{"type":"WEB","url":"https://www.sogo.nu/news.html"},{"type":"ADVISORY","url":"https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html"},{"type":"ADVISORY","url":"https://github.com/inverse-inc/sogo/blob/master/CHANGELOG.md"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/07/msg00007.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-5029"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/Alinto/sogo","events":[{"introduced":"bf398889bf538cad2589ddd4f3a0c39b38f1e9e2"},{"fixed":"24687abdd496d9a9e416d4efa082bb325dad2870"},{"introduced":"fe0221f6300bc92f0156f9dde4e58c1c8d3610e7"},{"fixed":"a42749facdf98fe101dc962b855399bf4683ecb2"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"2.0.6"},{"fixed":"2.4.1"},{"introduced":"3.0.0"},{"fixed":"5.1.1"}],"cpe":"cpe:2.3:a:inverse:sogo:*:*:*:*:*:*:*:*"}}],"versions":["SOGo-5.1.0","SOGo-5.0.1","SOGo-5.0.0","SOGo-4.3.2","SOGo-4.3.1","SOGo-4.3.0","SOGo-4.2.0","SOGo-4.1.1","SOGo-4.1.0","SOGo-4.0.8","SOGo-4.0.7","SOGo-4.0.6","SOGo-4.0.5","SOGo-4.0.4","SOGo-4.0.3","SOGo-4.0.2","SOGo-4.0.1","SOGo-4.0.0","SOGo-3.2.10","SOGo-3.2.9","SOGo-3.2.8","SOGo-3.2.7","SOGo-3.2.6a","SOGo-3.2.5","SOGo-3.2.4","SOGo-3.2.3","SOGo-3.2.2","SOGo-3.2.1","SOGo-3.2.0","SOGo-3.1.5","SOGo-3.1.4","SOGo-3.1.3","SOGo-3.1.2","SOGo-3.1.0","SOGo-3.0.2","SOGo-3.0.1","SOGo-3.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-33054.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}