CVE-2010-2450 — Sensitive Information Exposure in Service Provider

CWE-200 — Sensitive Information Exposure CWE-916 — Use of Password Hash With Insufficient Computational Effort4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 62.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Linux Shibboleth Service Provider

Timeline

PublishedNov 7

Latest updateApr 21

Description

The keygen.sh script in Shibboleth SP 2.0 (located in /usr/local/etc/shibboleth by default) uses OpenSSL to create a DES private key which is placed in sp-key.pm. It relies on the root umask (default 22) instead of chmoding the resulting file itself, so the generated private key is world readable by default.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

▶NVDshibboleth/service_provider2.0

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: bugs.debian.org ↗Patch: bugs.debian.org ↗

🔴Vulnerability Details

GHSA

GHSA-9cvv-j545-66mj: The keygen↗2022-04-21

▶

CVEList

CVE-2010-2450: The keygen↗2019-11-07

▶

📋Vendor Advisories

Debian

CVE-2010-2450: shibboleth-sp - The keygen.sh script in Shibboleth SP 2.0 (located in /usr/local/etc/shibboleth ...↗2010

▶