Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

VersionEOLUser Data ExposureResource ExposureSession HijackingDenial of ServiceRemote ExploitAdvisories
All
XX

X

2016-06-29, 2016-05-04, 2014-06-08, 2014-04-09, 2013-12-02, 2011-10-24

2.6.1
XX



2.6.0Nov 2017XX

X2017-11-15
2.5.6Jun 2016XX

X
2.5.5Feb 2016XX

X
2.5.4Jul 2015XX
XX2015-07-21
2.5.3Mar 2015XX
XX2015-03-19

2.5.2

Dec 2013XX
XX
2.5.0 - 2.5.1June 2013XX
X
2013-06-18, 2013-01-10
2.4.3Nov 2012XX
XX2012-04-19
2.4.0 - 2.4.2Jul 2011XX
XX2011-07-25, 2011-07-06
2.3.0 - 2.3.1Dec 2010XX
XX
2.2.1Nov 2009XXXXX2009-11-04, 2009-08-26
2.2.0Aug 2009XXXXX2009-08-17
2.0.0 - 2.1.0Jun 2009XXXXX2009-06-15

...

DateTitleAffectsSeverityCVE
2017-11-15

Dynamic MetadataProvider fails to install security filters

SP < 2.6.1critical
2016-06-29

Apache Xerces-C XML Parser Crashes on Malformed DTD

SP w/ Xerces-C < 3.1.4mediumCVE-2016-4463
2016-05-04

Shibboleth SP software <PathRegex> feature implemented incorrectly

SP (all released versions)high
2016-02-25Apache Xerces-C XML Parser Crashes on Malformed InputSP w/ Xerces-C < 3.1.3highCVE-2016-0729
2015-07-21

Shibboleth SP software crashes on well-formed but invalid XML

SP w/ xmltooling < 1.5.5, libsaml < 2.5.5mediumCVE-2015-2684
2015-03-19

Shibboleth SP software crashes on malformed input messages

SP < 2.5.4, Xerces-C < 3.1.2mediumCVE-2015-0252
2015-02-25

Identity Provider and OpenSAML-J PKIX Trust Engines Exhibit Critical Flaw In Trusted Names Evaluation

IDP < 2.4.4, OpenSAML-J < 2.6.5high
2014-11-03

Xerces-J XML Parser Vulnerable to Denial of Service

IDP with Xerces endorsedmediumCVE-2013-4002
2014-09-19

Shibboleth Identity Provider and OpenSAML-J HTTPS and LDAPS Connections Do Not Perform Proper Hostname Verification

IDP < 2.4.2, OpenSAML-J < 2.6.3high

CVE-2014-3604

CVE-2014-3607

2014-08-13

HTTPS Connections Via HTTP Resources Do Not Perform Hostname Verification

IDP < 2.4.1, OpenSAML-J < 2.6.2medium

CVE-2014-3603

2014-06-08OpenSSL MITM issueSP with any affected OpenSSL version, IDP w/ OpenSSL 1.0.1 - 1.0.1ghighCVE-2014-0224
2014-04-09OpenSSL "Heartbleed" vulnerability

SP or IDP w/ OpenSSL 1.0.1 - 1.0.1f

very high

CVE-2014-0160

2013-12-15OpenSAML Java ParserPool and Decrypter Vulnerable To XML AttacksOpenSAML-J < 2.6.1medium
2013-12-02Curl library skips TLS server certificate name checkingSP w/ libcurl between 7.18.0 and 7.33.0lowCVE-2013-4545
2013-06-18

Shibboleth SP heap overflow processing InclusiveNamespace PrefixList

SP w/ libxml-security-c < 1.7.1highCVE-2013-2156
2013-04-17

Identity Provider HTTP-based Metadata Providers did not perform hostname verification

IDP < 2.4.0medium
2013-04-17

Identity Provider issue In Metadata Providers with 'disregardSslCertificate' option

IDP < 2.4.0medium
2013-01-10

Shibboleth SP software crashes on malformed IdP History Cookie

SP w/ libsaml 2.5.0 or 2.5.1low
2012-04-19

OpenSSL ASN1 BIO vulnerability

SP w/ openssl < 1.0.0ihigh

CVE-2012-2110

2012-02-27Identity Provider LDAPS Connections Do Not Perform Hostname VerificationIDP < 2.3.6high
2011-10-24Use of XML Encryption Vulnerable to Chosen Ciphertext AttacksSP and IdP, all versionsmedium
2011-07-25OpenSAML software is vulnerable to XML Signature wrapping attacksIDP < 2.3.2
SP w/ libsaml < 2.4.3
high

CVE-2011-1411

2011-07-18Multi-Session Information LeakageIDP >= 2.1medium
2011-07-06Shibboleth SP software crashes on large signing/encryption keysSP w/ libxml-security-c < 1.6.1high

CVE-2011-2516

2011-05-16Velocity templates vulnerable to XSS (cross-site scripting) injectionIDP < 2.3.0high
2011-01-13Shibboleth IdP 2.X Single TransientID Mapped to Multiple PrincipalsIDP < 2.2.1high
2009-11-04Shibboleth software improperly handles malformed URLsIDP < 2.1.5
SP < 2.3
high

CVE-2009-3300

2009-08-26Shibboleth SP software improperly handles malformed URLsSP w/ libxmltooling < 1.2.2high
2009-08-17Shibboleth SP software improperly evaluates KeyDescriptorsSP < 2.2.1low
2009-08-17Shibboleth SP software improperly handles certificate namesSP < 2.2.1 or w/ libcurl < 7.19.6high
2009-06-19Potential Access to Sensitive Information when Clustering Shibboleth 2.X IdPsIDP, all versions w/ Terracottamedium
2009-06-15Shibboleth SP software on IIS vulnerable to header spoofingSP < 2.2 w/ IIS, but see thishigh
2009-02-24Shibboleth IdP 2.X cross-site request attackIDP < 2.2.0high
2008-11-03Shibboleth IdP 2.0 UsernamePassword Login Handler Vulnerable to Cross-site Request AttackIDP < 2.1.0high