Vulnerability Description
shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka SSPCPP-763.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Shibboleth | Service Provider | < 2.6.1 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- https://bugs.debian.org/881857Issue TrackingThird Party Advisory
- https://git.shibboleth.net/view/?p=cpp-sp.git%3Ba=commit%3Bh=b66cceb0e992c351ad5
- https://lists.debian.org/debian-lts-announce/2017/11/msg00025.html
- https://shibboleth.net/community/advisories/secadv_20171115.txtIssue TrackingVendor Advisory
- https://www.debian.org/security/2017/dsa-4038Issue TrackingThird Party Advisory
- https://bugs.debian.org/881857Issue TrackingThird Party Advisory
- https://git.shibboleth.net/view/?p=cpp-sp.git%3Ba=commit%3Bh=b66cceb0e992c351ad5
- https://lists.debian.org/debian-lts-announce/2017/11/msg00025.html
- https://shibboleth.net/community/advisories/secadv_20171115.txtIssue TrackingVendor Advisory
- https://www.debian.org/security/2017/dsa-4038Issue TrackingThird Party Advisory
FAQ
What is CVE-2017-16852?
CVE-2017-16852 is a vulnerability with a CVSS score of 8.1 (HIGH). shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and do...
How severe is CVE-2017-16852?
CVE-2017-16852 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-16852?
Check the references section above for vendor advisories and patch information. Affected products include: Shibboleth Service Provider, Debian Debian Linux.