vulnerability
FreeBSD: VID-9f9b0b37-88fa-11f0-90a2-6cc21735f730: Shibboleth Service Provider -- SQL injection vulnerability in ODBC plugin
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:S/C:C/I:N/A:N) | Sep 3, 2025 | Dec 10, 2025 | Dec 10, 2025 |
Severity
7
CVSS
(AV:N/AC:L/Au:S/C:C/I:N/A:N)
Published
Sep 3, 2025
Added
Dec 10, 2025
Modified
Dec 10, 2025
Description
Internet2 reports: The Shibboleth Service Provider includes a storage API usable for a number of different use cases such as the session cache, replay cache, and relay state management. An ODBC extension plugin is provided with some distributions of the software (notably on Windows). A SQL injection vulnerability was identified in some of the queries issued by the plugin, and this can be creatively exploited through specially crafted inputs to exfiltrate information stored in the database used by the SP.
Solution
freebsd-upgrade-package-shibboleth-sp
References
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.