Vulnerabilities > CVE-2010-2450 - Use of Password Hash With Insufficient Computational Effort vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
The keygen.sh script in Shibboleth SP 2.0 (located in /usr/local/etc/shibboleth by default) uses OpenSSL to create a DES private key which is placed in sp-key.pm. It relies on the root umask (default 22) instead of chmoding the resulting file itself, so the generated private key is world readable by default.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 | |
OS | 2 |
Common Weakness Enumeration (CWE)
References
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571631
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571631
- https://security-tracker.debian.org/tracker/CVE-2010-2450
- https://security-tracker.debian.org/tracker/CVE-2010-2450
- https://todos.internet2.edu/browse/SSPCPP-106
- https://todos.internet2.edu/browse/SSPCPP-106