Page tree

The Shibboleth 2.x software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP30 and SP3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 50 Next »

This is the advisory page for Identity Provider V2 and Service Provider V2 releases. For newer V3 IdP advisories, refer to the V3 SecurityAdvisories page.

This page provides easier access to the complete history of Security Advisories released for the Shibboleth V2 software products and an "at a glance" table showing you which releases are vulnerable to what kinds of issues. If you're running a particular version, you can use this table to identify the issues that could affect your system and determine how urgent an upgrade is. In addition to the announce mailing list, you can "watch" this page for changes to keep abreast. Pages exist describing briefly how to check the IdP or SP version you have.

If you would like to report an issue you believe is security related, you can do any of the following:

As always, sites are advised to use the latest stable release of any Shibboleth product. Refer to the ProductVersioning page for information about our support and versioning policies. The Home page identifies the specific versions recommended at a given point in time

This page only covers advisories affecting the V2 products. Other advisories are not listed here, but you can find the complete set of advisories in this directory.

Obviously not all vulnerabilities are created equal, and the classifications in the matrices are general in nature, and are meant to point you to the relevant advisories to look into.

A particular version will typically be implicated by any advisories noted for it and for any newer versions above it in the tables.

Advisories noted for "All" versions should be reviewed by all deployers for relevancy to their deployment. Typically this indicates that an advisory is at least partly discussing issues that go beyond the scope of what the Shibboleth software can actually remediate and may affect the deployment as a whole. It does not in general refer to unfixed vulnerabilities in the Shibboleth software itself. There are a significant number of these at this point.

Identity Provider Vulnerability Matrix

VersionEOLUser Data ExposureUser Data AccuracySession HijackingDenial of ServiceRemote ExploitAdvisories
AllAug 2016XX

2014-11-03, 2014-06-08, 2014-04-09, 2011-10-24, 2011-07-18, 2009-06-19

2.4.5Aug 2016XX

2.4.4Aug 2016XX

2.4.3Feb 2015XX

2.4.2Nov 2014XX

2.4.1Sep 2014XX
2.4.0Aug 2014XX
2.3.8Apr 2013XX
2013-04-17, 2013-04-17a
2.3.6 - 2.3.7Jul 2012XX

2.3.2 - 2.3.5Feb 2012XX
2.3.0 - 2.3.1Jul 2011XX
2.2.1May 2011XXXXX2011-05-16
2.2.0Jan 2011XXXXX2011-01-13
2.1.5Sep 2010XXXXX2009-02-24
2.1.1 - 2.1.4Nov 2009XXXXX2009-11-04
2.0.0Dec 2008XXXXX2008-11-03

Service Provider Vulnerability Matrix

The oldest SP version unaffected by fixable vulnerabilities (excepting the advisory from 2016-05-04) is V2.6.0 in conjunction with OpenSAML 2.5.5, Xerces 3.1.4, and OpenSSL 1.0.2h.

VersionEOLUser Data ExposureResource ExposureSession HijackingDenial of ServiceRemote ExploitAdvisories


2016-06-29, 2016-05-04, 2014-06-08, 2014-04-09, 2013-12-02, 2011-10-24


2.5.6Jun 2016XX

2.5.5Feb 2016XX

2.5.4Jul 2015XX
2.5.3Mar 2015XX


Dec 2013XX
2.5.0 - 2.5.1June 2013XX
2013-06-18, 2013-01-10
2.4.3Nov 2012XX
2.4.0 - 2.4.2Jul 2011XX
XX2011-07-25, 2011-07-06
2.3.0 - 2.3.1Dec 2010XX
2.2.1Nov 2009XXXXX2009-11-04, 2009-08-26
2.2.0Aug 2009XXXXX2009-08-17
2.0.0 - 2.1.0Jun 2009XXXXX2009-06-15

Advisory List


Apache Xerces-C XML Parser Crashes on Malformed DTD

SP w/ Xerces-C < 3.1.4mediumCVE-2016-4463

Shibboleth SP software <PathRegex> feature implemented incorrectly

SP (all released versions)high
2016-02-25Apache Xerces-C XML Parser Crashes on Malformed InputSP w/ Xerces-C < 3.1.3highCVE-2016-0729

Shibboleth SP software crashes on well-formed but invalid XML

SP w/ xmltooling < 1.5.5, libsaml < 2.5.5mediumCVE-2015-2684

Shibboleth SP software crashes on malformed input messages

SP < 2.5.4, Xerces-C < 3.1.2mediumCVE-2015-0252

Identity Provider and OpenSAML-J PKIX Trust Engines Exhibit Critical Flaw In Trusted Names Evaluation

IDP < 2.4.4, OpenSAML-J < 2.6.5high

Xerces-J XML Parser Vulnerable to Denial of Service

IDP with Xerces endorsedmediumCVE-2013-4002

Shibboleth Identity Provider and OpenSAML-J HTTPS and LDAPS Connections Do Not Perform Proper Hostname Verification

IDP < 2.4.2, OpenSAML-J < 2.6.3high




HTTPS Connections Via HTTP Resources Do Not Perform Hostname Verification

IDP < 2.4.1, OpenSAML-J < 2.6.2medium


2014-06-08OpenSSL MITM issueSP with any affected OpenSSL version, IDP w/ OpenSSL 1.0.1 - 1.0.1ghighCVE-2014-0224
2014-04-09OpenSSL "Heartbleed" vulnerability

SP or IDP w/ OpenSSL 1.0.1 - 1.0.1f

very high


2013-12-15OpenSAML Java ParserPool and Decrypter Vulnerable To XML AttacksOpenSAML-J < 2.6.1medium
2013-12-02Curl library skips TLS server certificate name checkingSP w/ libcurl between 7.18.0 and 7.33.0lowCVE-2013-4545

Shibboleth SP heap overflow processing InclusiveNamespace PrefixList

SP w/ libxml-security-c < 1.7.1highCVE-2013-2156

Identity Provider HTTP-based Metadata Providers did not perform hostname verification

IDP < 2.4.0medium

Identity Provider issue In Metadata Providers with 'disregardSslCertificate' option

IDP < 2.4.0medium

Shibboleth SP software crashes on malformed IdP History Cookie

SP w/ libsaml 2.5.0 or 2.5.1low

OpenSSL ASN1 BIO vulnerability

SP w/ openssl < 1.0.0ihigh


2012-02-27Identity Provider LDAPS Connections Do Not Perform Hostname VerificationIDP < 2.3.6high
2011-10-24Use of XML Encryption Vulnerable to Chosen Ciphertext AttacksSP and IdP, all versionsmedium
2011-07-25OpenSAML software is vulnerable to XML Signature wrapping attacksIDP < 2.3.2
SP w/ libsaml < 2.4.3


2011-07-18Multi-Session Information LeakageIDP >= 2.1medium
2011-07-06Shibboleth SP software crashes on large signing/encryption keysSP w/ libxml-security-c < 1.6.1high


2011-05-16Velocity templates vulnerable to XSS (cross-site scripting) injectionIDP < 2.3.0high
2011-01-13Shibboleth IdP 2.X Single TransientID Mapped to Multiple PrincipalsIDP < 2.2.1high
2009-11-04Shibboleth software improperly handles malformed URLsIDP < 2.1.5
SP < 2.3


2009-08-26Shibboleth SP software improperly handles malformed URLsSP w/ libxmltooling < 1.2.2high
2009-08-17Shibboleth SP software improperly evaluates KeyDescriptorsSP < 2.2.1low
2009-08-17Shibboleth SP software improperly handles certificate namesSP < 2.2.1 or w/ libcurl < 7.19.6high
2009-06-19Potential Access to Sensitive Information when Clustering Shibboleth 2.X IdPsIDP, all versions w/ Terracottamedium
2009-06-15Shibboleth SP software on IIS vulnerable to header spoofingSP < 2.2 w/ IIS, but see thishigh
2009-02-24Shibboleth IdP 2.X cross-site request attackIDP < 2.2.0high
2008-11-03Shibboleth IdP 2.0 UsernamePassword Login Handler Vulnerable to Cross-site Request AttackIDP < 2.1.0high
  • No labels