Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
shibboleth service provider vulnerabilities and exploits
(subscribe to this query)
641
VMScore
CVE-2019-19191
Shibboleth Service Provider (SP) 3.x prior to 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow.
Shibboleth Service Provider
445
VMScore
CVE-2021-31826
Shibboleth Service Provider 3.x prior to 3.2.2 is prone to a NULL pointer dereference flaw involving the session recovery feature. The flaw is exploitable (for a daemon crash) on systems not using this feature if a crafted cookie is supplied.
Shibboleth Service Provider
356
VMScore
CVE-2015-2684
Shibboleth Service Provider (SP) prior to 2.5.4 allows remote authenticated users to cause a denial of service (crash) via a crafted SAML message.
Shibboleth Service Provider
Debian Debian Linux 7.0
445
VMScore
CVE-2021-28963
Shibboleth Service Provider prior to 3.2.1 allows content injection because template generation uses attacker-controlled parameters.
Shibboleth Service Provider
Debian Debian Linux 10.0
231
VMScore
CVE-2009-3300
Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x prior to 1.3.4 and 2.x prior to 2.1.5, and the Service Provider 1.3.x prior to 1.3.5 and 2.x prior to 2.3, in Internet2 Middleware Initiative Shibboleth allow remote malicious users to inject...
Internet2 Identity Provider 2.1.2
Internet2 Identity Provider 2.1.3
Internet2 Service Provider 2.2
Internet2 Service Provider 2.1
Internet2 Identity Provider 1.3.1
Internet2 Identity Provider 1.3
Internet2 Service Provider 1.3.1
Internet2 Service Provider 1.3.2
Internet2 Identity Provider 1.3.3
Internet2 Identity Provider 1.3.2
Internet2 Identity Provider 2.1.4
Internet2 Service Provider 1.3
Internet2 Identity Provider 2.1.0
Internet2 Identity Provider 2.1.1
Internet2 Service Provider 1.3.3
Internet2 Service Provider 2.0
605
VMScore
CVE-2017-16852
shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider prior to 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforc...
Shibboleth Service Provider
Debian Debian Linux 8.0
Debian Debian Linux 9.0
445
VMScore
CVE-2010-2450
The keygen.sh script in Shibboleth SP 2.0 (located in /usr/local/etc/shibboleth by default) uses OpenSSL to create a DES private key which is placed in sp-key.pm. It relies on the root umask (default 22) instead of chmoding the resulting file itself, so the generated private key ...
Shibboleth Service Provider 2.0
Debian Debian Linux 8.0
Debian Debian Linux 9.0
445
VMScore
CVE-2020-27978
Shibboleth Identify Provider 3.x prior to 3.4.6 has a denial of service flaw. A remote unauthenticated attacker can cause a login flow to trigger Java heap exhaustion due to the creation of objects in the Java Servlet container session.
Shibboleth Identity Provider
668
VMScore
CVE-2009-3475
Internet2 Shibboleth Service Provider software 1.3.x prior to 1.3.3 and 2.x prior to 2.2.1, when using PKIX trust validation, does not properly handle a '\0' character in the subject or subjectAltName fields of a certificate, which allows remote man-in-the-middle malici...
Internet2 Shibboleth-sp 2.0
Internet2 Shibboleth-sp 1.3.1
Internet2 Shibboleth-sp 1.3f
Internet2 Shibboleth-sp 2.2
Internet2 Shibboleth-sp 2.1
Internet2 Shibboleth-sp 1.3.2
828
VMScore
CVE-2009-3476
Buffer overflow in OpenSAML prior to 1.1.3 as used in Internet2 Shibboleth Service Provider software 1.3.x prior to 1.3.4, and XMLTooling prior to 1.2.2 as used in Internet2 Shibboleth Service Provider software 2.x prior to 2.2.1, allows remote malicious users to cause a denial o...
Internet2 Shibboleth-sp 1.3.2
Internet2 Shibboleth-sp 1.3.3
Internet2 Shibboleth-sp 1.3.1
Internet2 Shibboleth-sp 1.3f
Internet2 Opensaml 1.1
Internet2 Opensaml 1.1.1
Internet2 Xmltooling 1.1.0
Internet2 Xmltooling 1.0.1
Internet2 Xmltooling 1.1.1
Internet2 Xmltooling 1.2.0
Internet2 Xmltooling 1.2.1
Internet2 Shibboleth-sp 2.0
Internet2 Shibboleth-sp 2.1
Internet2 Shibboleth-sp 2.2
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-21991
CVE-2024-32674
path traversal
CVE-2023-21987
denial of service
dos
CVE-2024-4647
CVE-2024-25519
CVE-2024-33612
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
NEXT »