CVE-2023-36661 – Ivanti Connect Secure Unauthenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2023-36661
Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.) • https://shibboleth.net/community/advisories/secadv_20230612.txt https://www.debian.org/security/2023/dsa-5432 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2023-22947
https://notcve.org/view.php?id=CVE-2023-22947
Insecure folder permissions in the Windows installation path of Shibboleth Service Provider (SP) before 3.4.1 allow an unprivileged local attacker to escalate privileges to SYSTEM via DLL planting in the service executable's folder. This occurs because the installation goes under C:\opt (rather than C:\Program Files) by default. NOTE: the vendor disputes the significance of this report, stating that "We consider the ACLs a best effort thing" and "it was a documentation mistake." Los permisos de carpeta inseguros en la ruta de instalación de Windows de Shibboleth Service Provider (SP) anterior a 3.4.1 permiten a un atacante local sin privilegios escalar privilegios a SYSTEM mediante la instalación de DLL en la carpeta del ejecutable del servicio. Esto ocurre porque la instalación se realiza en C:\opt (en lugar de C:\Program Files) de forma predeterminada. • https://shibboleth.atlassian.net/browse/SSPCPP-961 https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335545/Install+on+Windows#Restricting-ACLs • CWE-427: Uncontrolled Search Path Element •
CVE-2022-24129
https://notcve.org/view.php?id=CVE-2022-24129
The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider allows server-side request forgery (SSRF) due to insufficient restriction of the request_uri parameter. This allows attackers to interact with arbitrary third-party HTTP services. El plugin OIDC OP versiones anteriores a 3.0.4, para Shibboleth Identity Provider permite un ataque de tipo server-side request forgery (SSRF) debido a una restricción insuficiente del parámetro request_uri. Esto permite a atacantes interactuar con servicios HTTP arbitrarios de terceros • http://shibboleth.net/community/advisories http://shibboleth.net/community/advisories/secadv_20220131.txt https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220127-01_Shibboleth_IdP_OIDC_OP_Plugin_SSRF • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2021-31826
https://notcve.org/view.php?id=CVE-2021-31826
Shibboleth Service Provider 3.x before 3.2.2 is prone to a NULL pointer dereference flaw involving the session recovery feature. The flaw is exploitable (for a daemon crash) on systems not using this feature if a crafted cookie is supplied. Shibboleth Service Provider versiones 3.x anteriores a 3.2.2, es propenso a un fallo de desreferencia del puntero NULL que involucra la funcionalidad session recovery. El fallo es explotable (para un bloqueo del demonio) en sistemas que no usan esta funcionalidad si es suministrada una cookie diseñada • https://bugs.debian.org/987608 https://git.shibboleth.net/view/?p=cpp-sp.git%3Ba=commit%3Bh=5a47c3b9378f4c49392dd4d15189b70956f9f2ec https://issues.shibboleth.net/jira/browse/SSPCPP-927 https://shibboleth.net/community/advisories/secadv_20210426.txt https://www.debian.org/security/2021/dsa-4905 • CWE-476: NULL Pointer Dereference •
CVE-2021-28963
https://notcve.org/view.php?id=CVE-2021-28963
Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters. Shibboleth Service Provider versiones anteriores a 3.2.1, permite una inyección de contenido porque la generación de plantillas usa parámetros controlados por atacantes • https://bugs.debian.org/985405 https://git.shibboleth.net/view/?p=cpp-sp.git%3Ba=commit%3Bh=d1dbebfadc1bdb824fea63843c4c38fa69e54379 https://issues.shibboleth.net/jira/browse/SSPCPP-922 https://shibboleth.net/community/advisories/secadv_20210317.txt https://www.debian.org/security/2021/dsa-4872 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •