CVE-2017-16853Improper Verification of Cryptographic Signature in Opensaml

CWE-347Improper Verification of Cryptographic SignatureCWE-358Improperly Implemented Security Check for Standard7 documents6 sources
Severity
8.1HIGHNVD
EPSS
0.7%
top 28.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Shibboleth OpensamlDebian Linux
Timeline
PublishedNov 16
Latest updateMay 14

Description

The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka CPPOST-105.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages1 packages

NVDshibboleth/opensaml< 2.6.1

Also affects: Debian Linux 8.0, 9.0

🔴Vulnerability Details

3
GHSA
GHSA-hrv7-jmr6-cr43: The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider2022-05-14
CVEList
CVE-2017-16853: The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider2017-11-16
OSV
CVE-2017-16853: The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider2017-11-16

📋Vendor Advisories

1
Red Hat
opensaml: The DynamicMetadataProvider class does not perform various security checks2017-11-13

💬Community

2
Bugzilla
CVE-2017-16853 opensaml: The DynamicMetadataProvider class does not perform various security checks2017-11-29
Bugzilla
CVE-2017-16853 opensaml: The DynamicMetadataProvider class does not perform various security checks [fedora-all]2017-11-29
CVE-2017-16853 — Shibboleth Opensaml vulnerability | cvebase