Shibboleth Service Provider
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Shibboleth Service Provider.
By the Year
In 2026 there have been 0 vulnerabilities in Shibboleth Service Provider. Last year, in 2025 Service Provider had 1 security vulnerability published. Right now, Service Provider is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 9.10 |
| 2024 | 0 | 0.00 |
| 2023 | 1 | 7.30 |
| 2022 | 0 | 0.00 |
| 2021 | 2 | 6.40 |
| 2020 | 0 | 0.00 |
| 2019 | 1 | 0.00 |
It may take a day or so for new Service Provider vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Shibboleth Service Provider Security Vulnerabilities
Blind SQLi in Shibboleth SP 3.5.0 Replay Cache via ODBC & SQLString
CVE-2025-9943
9.1 - Critical
- September 10, 2025
An SQL injection vulnerability has been identified in the "ID" attribute of the SAML response when the replay cache of the Shibboleth Service Provider (SP) is configured to use an SQL database as storage service. An unauthenticated attacker can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database, if the database connection is configured to use the ODBC plugin. The vulnerability arises from insufficient escaping of single quotes in the class SQLString (file odbc-store.cpp, lines 253-271). This issue affects Shibboleth Service Provider through 3.5.0.
SQL Injection
Shibboleth SP <3.4.1: Insecure ACLs Enable DLL Planting for Priv Esc
CVE-2023-22947
7.3 - High
- January 11, 2023
Insecure folder permissions in the Windows installation path of Shibboleth Service Provider (SP) before 3.4.1 allow an unprivileged local attacker to escalate privileges to SYSTEM via DLL planting in the service executable's folder. This occurs because the installation goes under C:\opt (rather than C:\Program Files) by default. NOTE: the vendor disputes the significance of this report, stating that "We consider the ACLs a best effort thing" and "it was a documentation mistake."
DLL preloading
Shibboleth Service Provider 3.x before 3.2.2 is prone to a NULL pointer dereference flaw involving the session recovery feature
CVE-2021-31826
7.5 - High
- April 27, 2021
Shibboleth Service Provider 3.x before 3.2.2 is prone to a NULL pointer dereference flaw involving the session recovery feature. The flaw is exploitable (for a daemon crash) on systems not using this feature if a crafted cookie is supplied.
NULL Pointer Dereference
Shibboleth Service Provider before 3.2.1
CVE-2021-28963
5.3 - Medium
- March 22, 2021
Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters.
Injection
Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file
CVE-2019-19191
- November 21, 2019
Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Shibboleth Service Provider or by Shibboleth? Click the Watch button to subscribe.
