Vulnerabilities > Shibboleth > Identity Provider
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-10-28 | CVE-2020-27978 | Allocation of Resources Without Limits or Throttling vulnerability in Shibboleth Identity Provider Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw. | 7.5 |
| 2019-04-04 | CVE-2014-3603 | Improper Validation of Certificate with Host Mismatch vulnerability in Shibboleth Identity Provider and Opensaml Java The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | 5.9 |