CVE-2017-16853 : The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataPro

The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka CPPOST-105.

Published 2017-11-16 17:29:00

Updated 2018-02-04 02:29:16

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2017-16853

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Shibboleth » Opensaml
Versions before (<) 2.6.1
cpe:2.3:a:shibboleth:opensaml:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-16853

EPSS FAQ

1.85%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 88 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-16853

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.1	HIGH	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	2.2	5.9	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-16853

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-16853

http://www.securityfocus.com/bid/101898

OpenSAML CVE-2017-16853 Multipal Security Bypass Vulnerabilites
Third Party Advisory;VDB Entry
https://www.debian.org/security/2017/dsa-4039

Debian -- Security Information -- DSA-4039-1 opensaml2
Issue Tracking;Third Party Advisory
https://lists.debian.org/debian-lts-announce/2017/11/msg00024.html

[SECURITY] [DLA 1178-1] opensaml2 security update
https://bugs.debian.org/881856

#881856 - opensaml2: CVE-2017-16853: Dynamic MetadataProvider fails to install security filters (CPPOST-105) - Debian Bug report logs
Issue Tracking;Third Party Advisory
https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;h=6182b0acf2df670e75423c2ed7afe6950ef11c9d

git.shibboleth.net Git - cpp-opensaml.git/commit
Issue Tracking;Patch;Vendor Advisory
https://shibboleth.net/community/advisories/secadv_20171115.txt

Issue Tracking;Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2017-16853

Products affected by CVE-2017-16853

Exploit prediction scoring system (EPSS) score for CVE-2017-16853

CVSS scores for CVE-2017-16853

CWE ids for CVE-2017-16853

References for CVE-2017-16853