Shibboleth
Products by Shibboleth Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2024 there have been 0 vulnerabilities in Shibboleth . Last year Shibboleth had 1 security vulnerability published. Right now, Shibboleth is on track to have less security vulnerabilities in 2024 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 1 | 7.50 |
| 2022 | 1 | 8.20 |
| 2021 | 2 | 6.40 |
| 2020 | 1 | 7.50 |
| 2019 | 1 | 7.80 |
| 2018 | 2 | 6.50 |
It may take a day or so for new Shibboleth vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Shibboleth Security Vulnerabilities
Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element
CVE-2023-36661
7.5 - High
- June 25, 2023
Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.)
XSPA
The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider
CVE-2022-24129
8.2 - High
- February 04, 2022
The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider allows server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter. This allows attackers to interact with arbitrary third-party HTTP services.
XSPA
Shibboleth Service Provider 3.x before 3.2.2 is prone to a NULL pointer dereference flaw involving the session recovery feature
CVE-2021-31826
7.5 - High
- April 27, 2021
Shibboleth Service Provider 3.x before 3.2.2 is prone to a NULL pointer dereference flaw involving the session recovery feature. The flaw is exploitable (for a daemon crash) on systems not using this feature if a crafted cookie is supplied.
NULL Pointer Dereference
Shibboleth Service Provider before 3.2.1
CVE-2021-28963
5.3 - Medium
- March 22, 2021
Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters.
Injection
Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw
CVE-2020-27978
7.5 - High
- October 28, 2020
Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw. A remote unauthenticated attacker can cause a login flow to trigger Java heap exhaustion due to the creation of objects in the Java Servlet container session.
Allocation of Resources Without Limits or Throttling
Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file
CVE-2019-19191
7.8 - High
- November 21, 2019
Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow.
insecure temporary file
Shibboleth XMLTooling-C before 1.6.4, as used in Shibboleth Service Provider before 2.6.1.4 on Windows and other products, mishandles digital signatures of user data, which
CVE-2018-0489
6.5 - Medium
- February 27, 2018
Shibboleth XMLTooling-C before 1.6.4, as used in Shibboleth Service Provider before 2.6.1.4 on Windows and other products, mishandles digital signatures of user data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via crafted XML data. NOTE: this issue exists because of an incomplete fix for CVE-2018-0486.
Improper Verification of Cryptographic Signature
Shibboleth XMLTooling-C before 1.6.3, as used in Shibboleth Service Provider before 2.6.0 on Windows and other products, mishandles digital signatures of user attribute data, which
CVE-2018-0486
6.5 - Medium
- January 13, 2018
Shibboleth XMLTooling-C before 1.6.3, as used in Shibboleth Service Provider before 2.6.0 on Windows and other products, mishandles digital signatures of user attribute data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via a crafted DTD.
Improper Verification of Cryptographic Signature
The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which
CVE-2013-6440
- February 14, 2014
The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.
Information Disclosure
Off-by-one error in the XML signature feature in Apache XML Security for C++ 1.6.0, as used in Shibboleth before 2.4.3 and possibly other products
CVE-2011-2516
- July 11, 2011
Off-by-one error in the XML signature feature in Apache XML Security for C++ 1.6.0, as used in Shibboleth before 2.4.3 and possibly other products, allows remote attackers to cause a denial of service (crash) via a signature using a large RSA key, which triggers a buffer overflow.
Numeric Errors