CVE-2017-16852Improper Verification of Cryptographic Signature in Service Provider

CWE-347Improper Verification of Cryptographic Signature4 documents4 sources
Severity
8.1HIGHNVD
EPSS
0.3%
top 45.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Shibboleth Service ProviderDebian Linux
Timeline
PublishedNov 16
Latest updateMay 14

Description

shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka SSPCPP-763.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages1 packages

Also affects: Debian Linux 8.0, 9.0

🔴Vulnerability Details

3
GHSA
GHSA-5rhm-55rh-pvvp: shibsp/metadata/DynamicMetadataProvider2022-05-14
CVEList
CVE-2017-16852: shibsp/metadata/DynamicMetadataProvider2017-11-16
OSV
CVE-2017-16852: shibsp/metadata/DynamicMetadataProvider2017-11-16
CVE-2017-16852 — Service Provider vulnerability | cvebase