Shibboleth Service Provider — known CVE vulnerabilities
Every CVE whose affected-product data names Shibboleth Service Provider, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (7)
CVE-2017-16852 — CVSS 8.1 (high): shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to…
CVE-2019-19191 — CVSS 7.8 (high): Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service…
CVE-2010-2450 — CVSS 7.5 (high): The keygen.sh script in Shibboleth SP 2.0 (located in /usr/local/etc/shibboleth by default) uses OpenSSL to create a DES private key which…
CVE-2021-31826 — CVSS 7.5 (high): Shibboleth Service Provider 3.x before 3.2.2 is prone to a NULL pointer dereference flaw involving the session recovery feature. The flaw…
CVE-2023-22947 — CVSS 7.3 (high): Insecure folder permissions in the Windows installation path of Shibboleth Service Provider (SP) before 3.4.1 allow an unprivileged local…
CVE-2021-28963 — CVSS 5.3 (medium): Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters.
CVE-2015-2684 — CVSS 4.0 (medium): Shibboleth Service Provider (SP) before 2.5.4 allows remote authenticated users to cause a denial of service (crash) via a crafted SAML…