Vulnerabilities > CVE-2021-31826 - NULL Pointer Dereference vulnerability in Shibboleth Service Provider

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

shibboleth

CWE-476

NVD

Published: 2021-04-27

Updated: 2023-11-07

Summary

Shibboleth Service Provider 3.x before 3.2.2 is prone to a NULL pointer dereference flaw involving the session recovery feature. The flaw is exploitable (for a daemon crash) on systems not using this feature if a crafted cookie is supplied.

Vulnerable Configurations

Part	Description	Count
Application	Shibboleth Shibboleth Service Provider 3.0.0 Shibboleth Service Provider 3.0.2 Shibboleth Service Provider 3.0.3 Shibboleth Service Provider 3.0.4 Shibboleth Service Provider 3.1.0	5

Common Weakness Enumeration (CWE)

CWE-476 - NULL Pointer Dereference

References

https://issues.shibboleth.net/jira/browse/SSPCPP-927
https://bugs.debian.org/987608
https://shibboleth.net/community/advisories/secadv_20210426.txt
https://www.debian.org/security/2021/dsa-4905
https://git.shibboleth.net/view/?p=cpp-sp.git%3Ba=commit%3Bh=5a47c3b9378f4c49392dd4d15189b70956f9f2ec