Vulnerability Details : CVE-2017-16852
shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka SSPCPP-763.
Products affected by CVE-2017-16852
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:shibboleth:service_provider:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-16852
0.44%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-16852
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2017-16852
-
The product does not verify, or incorrectly verifies, the cryptographic signature for data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-16852
-
https://bugs.debian.org/881857
#881857 - shibboleth-sp2: CVE-2017-16852: Dynamic MetadataProvider fails to install security filters (SSCPP-763) - Debian Bug report logsIssue Tracking;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2017/11/msg00025.html
[SECURITY] [DLA 1179-1] shibboleth-sp2 security update
-
https://git.shibboleth.net/view/?p=cpp-sp.git;a=commit;h=b66cceb0e992c351ad5e2c665229ede82f261b16
git.shibboleth.net Git - cpp-sp.git/commitIssue Tracking;Patch;Vendor Advisory
-
https://www.debian.org/security/2017/dsa-4038
Debian -- Security Information -- DSA-4038-1 shibboleth-sp2Issue Tracking;Third Party Advisory
-
https://shibboleth.net/community/advisories/secadv_20171115.txt
Issue Tracking;Vendor Advisory
Jump to