Description
shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka SSPCPP-763.
References (5)
Core 5
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugs.debian.org/881857
Various Sources x_refsource_confirm
https://git.shibboleth.net/view/?p=cpp-sp.git%3Ba=commit%3Bh=b66cceb0e992c351ad5e2c665229ede82f261b16
Issue Tracking, Vendor Advisory x_refsource_confirm
https://shibboleth.net/community/advisories/secadv_20171115.txt
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2017/11/msg00025.html
Issue Tracking, Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2017/dsa-4038
Scores
CVSS v3
8.1
EPSS
0.0111
EPSS Percentile
61.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-347
Status
published
Products (3)
debian/debian_linux
8.0
debian/debian_linux
9.0
shibboleth/service_provider
< 2.6.1
Published
Nov 16, 2017
Tracked Since
Feb 18, 2026