Service Provider
by Internet2
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-16852 | Hig | 0.53 | 8.1 | 0.01 | Nov 16, 2017 | shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification,… | ||
| CVE-2023-22947 | 0.00 | — | 0.00 | Jan 11, 2023 | Insecure folder permissions in the Windows installation path of Shibboleth Service Provider (SP) before 3.4.1 allow an unprivileged local attacker to escalate privileges to SYSTEM via DLL planting in the service executable's folder. This occurs because the installation goes… | |||
| CVE-2021-28963 | 0.00 | — | 0.01 | Mar 22, 2021 | Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters. | |||
| CVE-2019-19191 | 0.00 | — | 0.00 | Nov 21, 2019 | Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow. | |||
| CVE-2015-2684 | 0.00 | — | 0.02 | Mar 31, 2015 | Shibboleth Service Provider (SP) before 2.5.4 allows remote authenticated users to cause a denial of service (crash) via a crafted SAML message. | |||
| CVE-2009-3300 | 0.00 | — | 0.02 | Nov 6, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2 Middleware Initiative Shibboleth allow remote attackers to inject arbitrary… | |||
| CVE-2009-3476 | 0.00 | — | 0.04 | Sep 29, 2009 | Buffer overflow in OpenSAML before 1.1.3 as used in Internet2 Shibboleth Service Provider software 1.3.x before 1.3.4, and XMLTooling before 1.2.2 as used in Internet2 Shibboleth Service Provider software 2.x before 2.2.1, allows remote attackers to cause a denial of service and… | |||
| CVE-2009-3475 | 0.00 | — | 0.01 | Sep 29, 2009 | Internet2 Shibboleth Service Provider software 1.3.x before 1.3.3 and 2.x before 2.2.1, when using PKIX trust validation, does not properly handle a '\0' character in the subject or subjectAltName fields of a certificate, which allows remote man-in-the-middle attackers to spoof… | |||
| CVE-2009-3474 | 0.00 | — | 0.02 | Sep 29, 2009 | OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is… |
- risk 0.53cvss 8.1epss 0.01
shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification,…
- CVE-2023-22947Jan 11, 2023risk 0.00cvss —epss 0.00
Insecure folder permissions in the Windows installation path of Shibboleth Service Provider (SP) before 3.4.1 allow an unprivileged local attacker to escalate privileges to SYSTEM via DLL planting in the service executable's folder. This occurs because the installation goes…
- CVE-2021-28963Mar 22, 2021risk 0.00cvss —epss 0.01
Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters.
- CVE-2019-19191Nov 21, 2019risk 0.00cvss —epss 0.00
Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow.
- CVE-2015-2684Mar 31, 2015risk 0.00cvss —epss 0.02
Shibboleth Service Provider (SP) before 2.5.4 allows remote authenticated users to cause a denial of service (crash) via a crafted SAML message.
- CVE-2009-3300Nov 6, 2009risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2 Middleware Initiative Shibboleth allow remote attackers to inject arbitrary…
- CVE-2009-3476Sep 29, 2009risk 0.00cvss —epss 0.04
Buffer overflow in OpenSAML before 1.1.3 as used in Internet2 Shibboleth Service Provider software 1.3.x before 1.3.4, and XMLTooling before 1.2.2 as used in Internet2 Shibboleth Service Provider software 2.x before 2.2.1, allows remote attackers to cause a denial of service and…
- CVE-2009-3475Sep 29, 2009risk 0.00cvss —epss 0.01
Internet2 Shibboleth Service Provider software 1.3.x before 1.3.3 and 2.x before 2.2.1, when using PKIX trust validation, does not properly handle a '\0' character in the subject or subjectAltName fields of a certificate, which allows remote man-in-the-middle attackers to spoof…
- CVE-2009-3474Sep 29, 2009risk 0.00cvss —epss 0.02
OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is…