CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
75.0%
shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider
plugin in Shibboleth Service Provider before 2.6.1 fails to properly
configure itself with the MetadataFilter plugins and does not perform
critical security checks such as signature verification, enforcement of
validity periods, and other checks specific to deployments, aka SSPCPP-763.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 17.10 | noarch | shibboleth-sp2 | < 2.6.0+dfsg1-4+deb9u1build0.17.10.1 | UNKNOWN |
ubuntu | 16.04 | noarch | shibboleth-sp2 | < any | UNKNOWN |
ubuntu | 17.04 | noarch | shibboleth-sp2 | < 2.6.0+dfsg1-4+deb9u1build0.17.04.1 | UNKNOWN |
bugs.debian.org/881857
git.shibboleth.net/view/?p=cpp-sp.git;a=commit;h=b66cceb0e992c351ad5e2c665229ede82f261b16
launchpad.net/bugs/cve/CVE-2017-16852
nvd.nist.gov/vuln/detail/CVE-2017-16852
security-tracker.debian.org/tracker/CVE-2017-16852
shibboleth.net/community/advisories/secadv_20171115.txt
www.cve.org/CVERecord?id=CVE-2017-16852
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
75.0%