Vulnerability Description
Shibboleth Service Provider 3.x before 3.2.2 is prone to a NULL pointer dereference flaw involving the session recovery feature. The flaw is exploitable (for a daemon crash) on systems not using this feature if a crafted cookie is supplied.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Shibboleth | Service Provider | >= 3.0.0, < 3.2.2 |
Related Weaknesses (CWE)
References
- https://bugs.debian.org/987608Mailing ListThird Party Advisory
- https://git.shibboleth.net/view/?p=cpp-sp.git%3Ba=commit%3Bh=5a47c3b9378f4c49392
- https://issues.shibboleth.net/jira/browse/SSPCPP-927ExploitPatchVendor Advisory
- https://shibboleth.net/community/advisories/secadv_20210426.txtVendor Advisory
- https://www.debian.org/security/2021/dsa-4905Third Party Advisory
- https://bugs.debian.org/987608Mailing ListThird Party Advisory
- https://git.shibboleth.net/view/?p=cpp-sp.git%3Ba=commit%3Bh=5a47c3b9378f4c49392
- https://issues.shibboleth.net/jira/browse/SSPCPP-927ExploitPatchVendor Advisory
- https://shibboleth.net/community/advisories/secadv_20210426.txtVendor Advisory
- https://www.debian.org/security/2021/dsa-4905Third Party Advisory
FAQ
What is CVE-2021-31826?
CVE-2021-31826 is a vulnerability with a CVSS score of 7.5 (HIGH). Shibboleth Service Provider 3.x before 3.2.2 is prone to a NULL pointer dereference flaw involving the session recovery feature. The flaw is exploitable (for a daemon crash) on systems not using this ...
How severe is CVE-2021-31826?
CVE-2021-31826 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-31826?
Check the references section above for vendor advisories and patch information. Affected products include: Shibboleth Service Provider.