Your submission was sent successfully! Close

CVE-2021-28963

Published: 22 March 2021

Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters.

From the Ubuntu security team

Toni Huttunen and Fraktal Oy discovered that the Shibboleth Service provider allowed content injection due to allowing attacker-controlled parameters in error or other status pages. An attacker could use this to inject malicious content.

Priority

Medium

CVSS 3 base score: 5.3

Status

Package Release Status
shibboleth-sp
Launchpad, Ubuntu, Debian
bionic Does not exist

focal
Released (3.0.4+dfsg1-1ubuntu0.1)
groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Needs triage

jammy Needs triage

precise Does not exist

trusty Does not exist

upstream
Released (3.2.1+dfsg1-1)
xenial Does not exist

shibboleth-sp2
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)