The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka CPPOST-105.
References
Link | Resource |
---|---|
http://www.securityfocus.com/bid/101898 | Third Party Advisory VDB Entry |
https://bugs.debian.org/881856 | Issue Tracking Third Party Advisory |
https://git.shibboleth.net/view/?p=cpp-opensaml.git%3Ba=commit%3Bh=6182b0acf2df670e75423c2ed7afe6950ef11c9d | |
https://lists.debian.org/debian-lts-announce/2017/11/msg00024.html | |
https://shibboleth.net/community/advisories/secadv_20171115.txt | Issue Tracking Vendor Advisory |
https://www.debian.org/security/2017/dsa-4039 | Issue Tracking Third Party Advisory |
Configurations
History
07 Nov 2023, 02:40
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2017-11-16 17:29
Updated : 2024-02-28 16:04
NVD link : CVE-2017-16853
Mitre link : CVE-2017-16853
CVE.ORG link : CVE-2017-16853
JSON object : View
Products Affected
shibboleth
- opensaml
debian
- debian_linux
CWE
CWE-347
Improper Verification of Cryptographic Signature