CVE-2010-2450
HIGHShibboleth Service Provider - Exposure of Sensitive Information via Insecure Key File Permissions
Title source: llmDescription
The keygen.sh script in Shibboleth SP 2.0 (located in /usr/local/etc/shibboleth by default) uses OpenSSL to create a DES private key which is placed in sp-key.pm. It relies on the root umask (default 22) instead of chmoding the resulting file itself, so the generated private key is world readable by default.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://security-tracker.debian.org/tracker/CVE-2010-2450
Mailing List, Patch, Third Party Advisory x_refsource_misc
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571631
Third Party Advisory x_refsource_confirm
https://todos.internet2.edu/browse/SSPCPP-106
Scores
CVSS v3
7.5
EPSS
0.0123
EPSS Percentile
65.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
CWE-916
Status
published
Products (3)
debian/debian_linux
8.0
debian/debian_linux
9.0
shibboleth/service_provider
2.0
Published
Nov 07, 2019
Tracked Since
Feb 18, 2026