Vulnerabilities > Shibboleth

DATE CVE VULNERABILITY TITLE RISK
2018-01-13 CVE-2018-0486 Improper Verification of Cryptographic Signature vulnerability in multiple products
Shibboleth XMLTooling-C before 1.6.3, as used in Shibboleth Service Provider before 2.6.0 on Windows and other products, mishandles digital signatures of user attribute data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via a crafted DTD.
network
low complexity
shibboleth debian CWE-347
6.4
2017-11-16 CVE-2017-16853 Improper Verification of Cryptographic Signature vulnerability in multiple products
The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka CPPOST-105.
network
high complexity
shibboleth debian CWE-347
8.1
2017-11-16 CVE-2017-16852 Improper Verification of Cryptographic Signature vulnerability in multiple products
shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka SSPCPP-763.
network
high complexity
shibboleth debian CWE-347
8.1
2015-07-08 CVE-2015-1796 7PK - Security Features vulnerability in Shibboleth Identity Provider and Opensaml Java
The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.
4.3
2015-03-31 CVE-2015-2684 Improper Input Validation vulnerability in multiple products
Shibboleth Service Provider (SP) before 2.5.4 allows remote authenticated users to cause a denial of service (crash) via a crafted SAML message.
network
low complexity
shibboleth debian CWE-20
4.0
2014-02-14 CVE-2013-6440 Information Exposure vulnerability in multiple products
The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.
network
low complexity
internet2 shibboleth CWE-200
5.0
2011-09-02 CVE-2011-1411 Improper Authentication vulnerability in Shibboleth Opensaml and Shibboleth-Identity-Provider
Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."
5.8