Follow @discotekdotca
CVE-2017-16853
Current Description
The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka CPPOST-105.
Basic Data
| Published | November 16, 2017 |
|---|---|
| Last Modified | February 04, 2018 |
| Assigner | cve@mitre.org |
| Data Type | CVE |
| Data Format | MITRE |
| Data Version | 4.0 |
| Problem Type | CWE-347 |
| CVE Data Version | 4.0 |
Base Metric V2
| CVSS 2 - Version | 2.0 |
|---|---|
| CVSS 2 - Vector String | AV:N/AC:M/Au:N/C:P/I:P/A:P |
| CVSS 2 - Access Vector | NETWORK |
| CVSS 2 - Access Complexity | MEDIUM |
| CVSS 2 - Authentication | NONE |
| CVSS 2 - Confidentiality Impact | PARTIAL |
| CVSS 2 - Availability Impact | PARTIAL |
| CVSS 2 - Base Score | 6.8 |
| Severity | MEDIUM |
| Exploitability Score | 8.6 |
| Impact Score | 6.4 |
| Obtain All Privilege | false |
| Obtain User Privilege | false |
| Obtain Other Privilege | false |
Base Metric V3
| CVSS 3 - Version | 3.0 |
|---|---|
| CVSS 3 - Vector String | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVSS 3 - Attack Vector | NETWORK |
| CVSS 3 - Attack Complexity | HIGH |
| CVSS 3 - Privileges Required | NONE |
| CVSS 3 - User Interaction | NONE |
| CVSS 3 - Scope | UNCHANGED |
| CVSS 3 - Confidentiality Impact | HIGH |
| CVSS 3 - Integrity Impact | HIGH |
| CVSS 3 - Availability Impact | HIGH |
| CVSS 3 - Base Score | 8.1 |
| CVSS 3 - Base Severity | HIGH |
| Exploitability Score | 2.2 |
| Base Severity | HIGH |
Configurations
-
OR - Configuration 1
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 Application Shibboleth Opensaml * * * * * * * * � � � 2.6.1 -
OR - Configuration 2
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 OS Debian Debian Linux 8.0 * * * * * * * � � � � 2.3 OS Debian Debian Linux 9.0 * * * * * * * � � � �
Vulnerable Software List
| Vendor | Product | Versions |
|---|---|---|
| Debian | Debian Linux | 8.0, 9.0 |
| Shibboleth | Opensaml | * |
References
| Name | Source | URL | Tags |
|---|---|---|---|
| 101898 | http://www.securityfocus.com/bid/101898 | BID | Third Party Advisory VDB Entry |
| https://bugs.debian.org/881856 | https://bugs.debian.org/881856 | CONFIRM | Issue Tracking Third Party Advisory |
| https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;h=6182b0acf2df670e75423c2ed7afe6950ef11c9d | https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;h=6182b0acf2df670e75423c2ed7afe6950ef11 | CONFIRM | Issue Tracking Patch Vendor Advisory |
| [debian-lts-announce] 20171118 [SECURITY] [DLA 1178-1] opensaml2 security update | https://lists.debian.org/debian-lts-announce/2017/11/msg00024.html | MLIST | |
| https://shibboleth.net/community/advisories/secadv_20171115.txt | https://shibboleth.net/community/advisories/secadv_20171115.txt | CONFIRM | Issue Tracking Vendor Advisory |
| DSA-4039 | https://www.debian.org/security/2017/dsa-4039 | DEBIAN | Issue Tracking Third Party Advisory |