CVE-2017-16853
HIGHOpenSAML < 2.6.1 - Improper Verification of Cryptographic Signature in DynamicMetadataProvider
Title source: llmDescription
The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka CPPOST-105.
References (6)
Core 6
Core References
Issue Tracking, Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2017/dsa-4039
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugs.debian.org/881856
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/101898
Various Sources x_refsource_confirm
https://git.shibboleth.net/view/?p=cpp-opensaml.git%3Ba=commit%3Bh=6182b0acf2df670e75423c2ed7afe6950ef11c9d
Issue Tracking, Vendor Advisory x_refsource_confirm
https://shibboleth.net/community/advisories/secadv_20171115.txt
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2017/11/msg00024.html
Scores
CVSS v3
8.1
EPSS
0.0140
EPSS Percentile
68.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-347
Status
published
Products (3)
debian/debian_linux
8.0
debian/debian_linux
9.0
shibboleth/opensaml
< 2.6.1
Published
Nov 16, 2017
Tracked Since
Feb 18, 2026