Published: 27/04/2021 Updated: 07/11/2023

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Shibboleth Service Provider 3.x prior to 3.2.2 is prone to a NULL pointer dereference flaw involving the session recovery feature. The flaw is exploitable (for a daemon crash) on systems not using this feature if a crafted cookie is supplied.

Vulnerable Product	Search on Vulmon	Subscribe to Product
shibboleth service provider

Debian Bug report logs - #987608 shibboleth-sp: CVE-2021-31826: Session recovery feature contains a null pointer deference Package: src:shibboleth-sp; Maintainer for src:shibboleth-sp is Debian Shib Team <pkg-shibboleth-devel@alioth-listsdebiannet>; Reported by: Ferenc Wágner <wferi@debianorg> Date: Mon, 26 Apr 20 ...

It was discovered that the Shibboleth Service Provider is prone to a NULL pointer dereference flaw in the cookie-based session recovery feature A remote, unauthenticated attacker can take advantage of this flaw to cause a denial of service (crash in the shibd daemon/service) For additional information please refer to the upstream advisory at http ...

CWE-476 https://issues.shibboleth.net/jira/browse/SSPCPP-927 https://bugs.debian.org/987608 https://shibboleth.net/community/advisories/secadv_20210426.txt https://www.debian.org/security/2021/dsa-4905 https://git.shibboleth.net/view/?p=cpp-sp.git%3Ba=commit%3Bh=5a47c3b9378f4c49392dd4d15189b70956f9f2ec https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987608 https://nvd.nist.gov https://www.debian.org/security/2021/dsa-4905

CVE-2021-31826

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect