Shibboleth

By the Year

In 2026 there have been 0 vulnerabilities in Shibboleth. Last year, in 2025 Shibboleth had 1 security vulnerability published. Right now, Shibboleth is on track to have less security vulnerabilities in 2026 than it did last year.

Recent Shibboleth Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-9943	Sep 10, 2025	Blind SQLi in Shibboleth SP 3.5.0 Replay Cache via ODBC & SQLString An SQL injection vulnerability has been identified in the "ID" attribute of the SAML response when the replay cache of the Shibboleth Service Provider (SP) is configured to use an SQL database as storage service. An unauthenticated attacker can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database, if the database connection is configured to use the ODBC plugin. The vulnerability arises from insufficient escaping of single quotes in the class SQLString (file odbc-store.cpp, lines 253-271). This issue affects Shibboleth Service Provider through 3.5.0.	Service Provider
CVE-2023-36661	Jun 25, 2023	Shibboleth XMLTooling SSRF <3.2.4 via crafted KeyInfo Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.)	Xmltooling
CVE-2023-22947	Jan 11, 2023	Shibboleth SP <3.4.1: Insecure ACLs Enable DLL Planting for Priv Esc Insecure folder permissions in the Windows installation path of Shibboleth Service Provider (SP) before 3.4.1 allow an unprivileged local attacker to escalate privileges to SYSTEM via DLL planting in the service executable's folder. This occurs because the installation goes under C:\opt (rather than C:\Program Files) by default. NOTE: the vendor disputes the significance of this report, stating that "We consider the ACLs a best effort thing" and "it was a documentation mistake."	Service Provider
CVE-2022-24129	Feb 04, 2022	The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider allows server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter. This allows attackers to interact with arbitrary third-party HTTP services.	Oidc Op
CVE-2021-31826	Apr 27, 2021	Shibboleth Service Provider 3.x before 3.2.2 is prone to a NULL pointer dereference flaw involving the session recovery feature Shibboleth Service Provider 3.x before 3.2.2 is prone to a NULL pointer dereference flaw involving the session recovery feature. The flaw is exploitable (for a daemon crash) on systems not using this feature if a crafted cookie is supplied.	Service Provider
CVE-2021-28963	Mar 22, 2021	Shibboleth Service Provider before 3.2.1 Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters.	Service Provider
CVE-2020-27978	Oct 28, 2020	Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw. A remote unauthenticated attacker can cause a login flow to trigger Java heap exhaustion due to the creation of objects in the Java Servlet container session.	Identify Provider Identity Provider
CVE-2019-19191	Nov 21, 2019	Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow.	Service Provider
CVE-2018-0489	Feb 27, 2018	Shibboleth XMLTooling-C before 1.6.4, as used in Shibboleth Service Provider before 2.6.1.4 on Windows and other products, mishandles digital signatures of user data, which Shibboleth XMLTooling-C before 1.6.4, as used in Shibboleth Service Provider before 2.6.1.4 on Windows and other products, mishandles digital signatures of user data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via crafted XML data. NOTE: this issue exists because of an incomplete fix for CVE-2018-0486.	Xmltooling C
CVE-2018-0486	Jan 13, 2018	Shibboleth XMLTooling-C before 1.6.3, as used in Shibboleth Service Provider before 2.6.0 on Windows and other products, mishandles digital signatures of user attribute data, which Shibboleth XMLTooling-C before 1.6.3, as used in Shibboleth Service Provider before 2.6.0 on Windows and other products, mishandles digital signatures of user attribute data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via a crafted DTD.	Xmltooling C
CVE-2013-6440	Feb 14, 2014	The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.	Opensaml
CVE-2011-2516	Jul 11, 2011	Off-by-one error in the XML signature feature in Apache XML Security for C++ 1.6.0, as used in Shibboleth before 2.4.3 and possibly other products Off-by-one error in the XML signature feature in Apache XML Security for C++ 1.6.0, as used in Shibboleth before 2.4.3 and possibly other products, allows remote attackers to cause a denial of service (crash) via a signature using a large RSA key, which triggers a buffer overflow.	Shibboleth Sp