Vulnerabilities > CVE-2010-2450 - Use of Password Hash With Insufficient Computational Effort vulnerability in multiple products

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

shibboleth

debian

CWE-916

NVD

Published: 2019-11-07

Updated: 2019-11-13

Summary

The keygen.sh script in Shibboleth SP 2.0 (located in /usr/local/etc/shibboleth by default) uses OpenSSL to create a DES private key which is placed in sp-key.pm. It relies on the root umask (default 22) instead of chmoding the resulting file itself, so the generated private key is world readable by default.

Vulnerable Configurations

Part	Description	Count
Application	Shibboleth Shibboleth Service Provider 2.0	1
OS	Debian Debian Debian Linux 8.0 Debian Debian Linux 9.0	2

Common Weakness Enumeration (CWE)

CWE-916 - Use of Password Hash With Insufficient Computational Effort

References

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571631
https://security-tracker.debian.org/tracker/CVE-2010-2450
https://todos.internet2.edu/browse/SSPCPP-106