Vulnerability & Exploit Database

Back to search

FreeBSD: VID-B4B7EC7D-CA27-11E7-A12D-6CC21735F730: shibboleth2-sp -- "Dynamic" metadata provider plugin issue

Severity CVSS Published Added Modified
4 (AV:L/AC:M/Au:N/C:P/I:P/A:P) November 14, 2017 November 14, 2017 November 14, 2017

Description

The Internet2 community reports:

The Shibboleth Service Provider software includes a MetadataProvider

plugin with the plugin type "Dynamic" to obtain metadata on demand

from a query server, in place of the more typical mode of

downloading aggregates separately containing all of the metadata to

load.

All the plugin types rely on MetadataFilter plugins to perform

critical security checks such as signature verification, enforcement

of validity periods, and other checks specific to deployments.

Due to a coding error, the "Dynamic" plugin fails to configure

itself with the filters provided to it and thus omits whatever

checks they are intended to perform, which will typically leave

deployments vulnerable to active attacks involving the substitution

of metadata if the network path to the query service is

compromised.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now

Solution

freebsd-upgrade-package-shibboleth2-sp