VYPR

Vendor CVEs

Internet2

All CVEs

23 total · sorted by risk
  • CVE-2024-39848CriJun 29, 2024
    risk 0.59cvss 9.1epss 0.00

    Internet2 Grouper before 5.6 allows authentication bypass when LDAP authentication is used in certain ways. This is related to internet2.middleware.grouper.ws.security.WsGrouperLdapAuthentication and the use of the UyY29r password for the M3vwHr account. This also affects…

  • CVE-2017-16853HigNov 16, 2017
    risk 0.53cvss 8.1epss 0.01

    The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification,…

  • CVE-2017-16852HigNov 16, 2017
    risk 0.53cvss 8.1epss 0.01

    shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification,…

  • CVE-2018-0489MedFeb 27, 2018
    risk 0.42cvss 6.5epss 0.02

    Shibboleth XMLTooling-C before 1.6.4, as used in Shibboleth Service Provider before 2.6.1.4 on Windows and other products, mishandles digital signatures of user data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via crafted XML…

  • CVE-2018-0486MedJan 13, 2018
    risk 0.42cvss 6.5epss 0.02

    Shibboleth XMLTooling-C before 1.6.3, as used in Shibboleth Service Provider before 2.6.0 on Windows and other products, mishandles digital signatures of user attribute data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via a…

  • CVE-2025-31335MedMar 28, 2025
    risk 0.26cvss 4.0epss 0.00

    The OpenSAML C++ library before 3.3.1 allows forging of signed SAML messages via parameter manipulation (when using SAML bindings that rely on non-XML signatures).

  • CVE-2023-36661Jun 25, 2023
    risk 0.07cvss epss 0.03

    Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.)

  • CVE-2011-2516Jul 11, 2011
    risk 0.01cvss epss 0.08

    Off-by-one error in the XML signature feature in Apache XML Security for C++ 1.6.0, as used in Shibboleth before 2.4.3 and possibly other products, allows remote attackers to cause a denial of service (crash) via a signature using a large RSA key, which triggers a buffer…

  • CVE-2025-59714Sep 19, 2025
    risk 0.00cvss epss 0.00

    In Internet2 Grouper 5.17.1 before 5.20.5, group admins who are not Grouper sysadmins can configure loader jobs.

  • CVE-2023-22947Jan 11, 2023
    risk 0.00cvss epss 0.00

    Insecure folder permissions in the Windows installation path of Shibboleth Service Provider (SP) before 3.4.1 allow an unprivileged local attacker to escalate privileges to SYSTEM via DLL planting in the service executable's folder. This occurs because the installation goes…

  • CVE-2021-28963Mar 22, 2021
    risk 0.00cvss epss 0.01

    Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters.

  • CVE-2020-27978Oct 28, 2020
    risk 0.00cvss epss 0.02

    Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw. A remote unauthenticated attacker can cause a login flow to trigger Java heap exhaustion due to the creation of objects in the Java Servlet container session.

  • CVE-2019-19191Nov 21, 2019
    risk 0.00cvss epss 0.00

    Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow.

  • CVE-2018-19794Dec 3, 2018
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in UiV2Public.index in Internet2 Grouper 2.2 and 2.3 allows remote attackers to inject arbitrary web script or HTML via the code parameter.

  • CVE-2015-0851Aug 12, 2015
    risk 0.00cvss epss 0.02

    XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not properly handle integer conversion exceptions, which allows remote attackers to cause a denial of service (crash) via schema-invalid XML data.

  • CVE-2015-1796Jul 8, 2015
    risk 0.00cvss epss 0.01

    The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued…

  • CVE-2015-2684Mar 31, 2015
    risk 0.00cvss epss 0.02

    Shibboleth Service Provider (SP) before 2.5.4 allows remote authenticated users to cause a denial of service (crash) via a crafted SAML message.

  • CVE-2013-6440Feb 14, 2014
    risk 0.00cvss epss 0.03

    The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML…

  • CVE-2011-1411Sep 2, 2011
    risk 0.00cvss epss 0.02

    Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."

  • CVE-2009-3300Nov 6, 2009
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2 Middleware Initiative Shibboleth allow remote attackers to inject arbitrary…

  • CVE-2009-3476Sep 29, 2009
    risk 0.00cvss epss 0.04

    Buffer overflow in OpenSAML before 1.1.3 as used in Internet2 Shibboleth Service Provider software 1.3.x before 1.3.4, and XMLTooling before 1.2.2 as used in Internet2 Shibboleth Service Provider software 2.x before 2.2.1, allows remote attackers to cause a denial of service and…

  • CVE-2009-3475Sep 29, 2009
    risk 0.00cvss epss 0.01

    Internet2 Shibboleth Service Provider software 1.3.x before 1.3.3 and 2.x before 2.2.1, when using PKIX trust validation, does not properly handle a '\0' character in the subject or subjectAltName fields of a certificate, which allows remote man-in-the-middle attackers to spoof…

  • CVE-2009-3474Sep 29, 2009
    risk 0.00cvss epss 0.02

    OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is…