CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 1CVE-2023-22947
https://notcve.org/view.php?id=CVE-2023-22947
Insecure folder permissions in the Windows installation path of Shibboleth Service Provider (SP) before 3.4.1 allow an unprivileged local attacker to escalate privileges to SYSTEM via DLL planting in the service executable's folder. This occurs because the installation goes under C:\opt (rather than C:\Program Files) by default. NOTE: the vendor disputes the significance of this report, stating that "We consider the ACLs a best effort thing" and "it was a documentation mistake." Los permisos de carpeta inseguros en la ruta de instalación de Windows de Shibboleth Service Provider (SP) anterior a 3.4.1 permiten a un atacante local sin privilegios escalar privilegios a SYSTEM mediante la instalación de DLL en la carpeta del ejecutable del servicio. Esto ocurre porque la instalación se realiza en C:\opt (en lugar de C:\Program Files) de forma predeterminada. • https://shibboleth.atlassian.net/browse/SSPCPP-961 https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335545/Install+on+Windows#Restricting-ACLs • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-31826
https://notcve.org/view.php?id=CVE-2021-31826
Shibboleth Service Provider 3.x before 3.2.2 is prone to a NULL pointer dereference flaw involving the session recovery feature. The flaw is exploitable (for a daemon crash) on systems not using this feature if a crafted cookie is supplied. Shibboleth Service Provider versiones 3.x anteriores a 3.2.2, es propenso a un fallo de desreferencia del puntero NULL que involucra la funcionalidad session recovery. El fallo es explotable (para un bloqueo del demonio) en sistemas que no usan esta funcionalidad si es suministrada una cookie diseñada • https://bugs.debian.org/987608 https://git.shibboleth.net/view/?p=cpp-sp.git%3Ba=commit%3Bh=5a47c3b9378f4c49392dd4d15189b70956f9f2ec https://issues.shibboleth.net/jira/browse/SSPCPP-927 https://shibboleth.net/community/advisories/secadv_20210426.txt https://www.debian.org/security/2021/dsa-4905 • CWE-476: NULL Pointer Dereference •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-28963
https://notcve.org/view.php?id=CVE-2021-28963
Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters. Shibboleth Service Provider versiones anteriores a 3.2.1, permite una inyección de contenido porque la generación de plantillas usa parámetros controlados por atacantes • https://bugs.debian.org/985405 https://git.shibboleth.net/view/?p=cpp-sp.git%3Ba=commit%3Bh=d1dbebfadc1bdb824fea63843c4c38fa69e54379 https://issues.shibboleth.net/jira/browse/SSPCPP-922 https://shibboleth.net/community/advisories/secadv_20210317.txt https://www.debian.org/security/2021/dsa-4872 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19191
https://notcve.org/view.php?id=CVE-2019-19191
Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow. Shibboleth Service Provider (SP) versiones 3.x anteriores a 3.1.0, envió un archivo de especificaciones que llama a chown sobre archivos en un directorio controlado por el usuario del servicio (la cuenta shibd) después de la instalación. Esto permite al usuario escalar a root al apuntar enlaces simbólicos en archivos tales como /etc/shadow. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00017.html https://bugzilla.suse.com/show_bug.cgi?id=1157471 https://issues.shibboleth.net/jira/browse/SSPCPP-874 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •