VYPR

Service Provider

by Internet2

CVEs (9)

  • CVE-2017-16852HigNov 16, 2017
    risk 0.53cvss 8.1epss 0.01

    shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification,…

  • CVE-2023-22947Jan 11, 2023
    risk 0.00cvss epss 0.00

    Insecure folder permissions in the Windows installation path of Shibboleth Service Provider (SP) before 3.4.1 allow an unprivileged local attacker to escalate privileges to SYSTEM via DLL planting in the service executable's folder. This occurs because the installation goes…

  • CVE-2021-28963Mar 22, 2021
    risk 0.00cvss epss 0.01

    Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters.

  • CVE-2019-19191Nov 21, 2019
    risk 0.00cvss epss 0.00

    Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow.

  • CVE-2015-2684Mar 31, 2015
    risk 0.00cvss epss 0.02

    Shibboleth Service Provider (SP) before 2.5.4 allows remote authenticated users to cause a denial of service (crash) via a crafted SAML message.

  • CVE-2009-3300Nov 6, 2009
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2 Middleware Initiative Shibboleth allow remote attackers to inject arbitrary…

  • CVE-2009-3476Sep 29, 2009
    risk 0.00cvss epss 0.04

    Buffer overflow in OpenSAML before 1.1.3 as used in Internet2 Shibboleth Service Provider software 1.3.x before 1.3.4, and XMLTooling before 1.2.2 as used in Internet2 Shibboleth Service Provider software 2.x before 2.2.1, allows remote attackers to cause a denial of service and…

  • CVE-2009-3475Sep 29, 2009
    risk 0.00cvss epss 0.01

    Internet2 Shibboleth Service Provider software 1.3.x before 1.3.3 and 2.x before 2.2.1, when using PKIX trust validation, does not properly handle a '\0' character in the subject or subjectAltName fields of a certificate, which allows remote man-in-the-middle attackers to spoof…

  • CVE-2009-3474Sep 29, 2009
    risk 0.00cvss epss 0.02

    OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is…