Unrated severityNVD Advisory· Published Jul 11, 2011· Updated Apr 29, 2026

CVE-2011-2516

Description

Off-by-one error in the XML signature feature in Apache XML Security for C++ 1.6.0, as used in Shibboleth before 2.4.3 and possibly other products, allows remote attackers to cause a denial of service (crash) via a signature using a large RSA key, which triggers a buffer overflow.

Affected products

Internet2/Shibboleth Sp15 versions
cpe:2.3:a:shibboleth:shibboleth-sp:2.0:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:shibboleth:shibboleth-sp:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:shibboleth-sp:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:shibboleth-sp:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:shibboleth-sp:*:*:*:*:*:*:*:*range: <=2.4.2
- cpe:2.3:a:shibboleth:shibboleth-sp:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:shibboleth-sp:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:shibboleth-sp:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:shibboleth-sp:1.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:shibboleth-sp:1.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:shibboleth-sp:1.3f:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:shibboleth-sp:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:shibboleth-sp:2.3:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:shibboleth-sp:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:shibboleth-sp:2.4:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:shibboleth-sp:2.4.1:*:*:*:*:*:*:*
Apache/Xml Security For C\+\+
cpe:2.3:a:apache:xml_security_for_c\+\+:1.6.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.006
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000