High severity8.1NVD Advisory· Published Nov 16, 2017· Updated May 13, 2026

CVE-2017-16852

Description

shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka SSPCPP-763.

Affected products

Internet2/Service Provider
cpe:2.3:a:shibboleth:service_provider:*:*:*:*:*:*:*:*
Range: <2.6.1
Debian/Debian Linux2 versions
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

bugs.debian.org/881857nvdIssue TrackingThird Party Advisory
shibboleth.net/community/advisories/secadv_20171115.txtnvdIssue TrackingVendor Advisory
www.debian.org/security/2017/dsa-4038nvdIssue TrackingThird Party Advisory
lists.debian.org/debian-lts-announce/2017/11/msg00025.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000