Your submission was sent successfully! Close

CVE-2021-28963

Published: 22 March 2021

Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters.

From the Ubuntu Security Team

Toni Huttunen and Fraktal Oy discovered that the Shibboleth Service provider allowed content injection due to allowing attacker-controlled parameters in error or other status pages. An attacker could use this to inject malicious content.

Priority

Medium

CVSS 3 base score: 5.3

Status

Package Release Status
shibboleth-sp
Launchpad, Ubuntu, Debian
bionic Does not exist

focal
Released (3.0.4+dfsg1-1ubuntu0.1)
groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Ignored
(reached end-of-life)
jammy Needs triage

kinetic Needs triage

precise Does not exist

trusty Does not exist

upstream
Released (3.2.1+dfsg1-1)
xenial Does not exist

Patches:
upstream: https://git.shibboleth.net/view/?p=cpp-sp.git;a=commit;h=d1dbebfadc1bdb824fea63843c4c38fa69e54379
shibboleth-sp2
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

kinetic Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)