CVE-2010-2450

Name of the Vulnerable Software and Affected Versions Shibboleth SP version 2.0

Description The keygen.sh script in Shibboleth SP uses OpenSSL to create a DES private key, which is placed in sp-key.pm. This script relies on the root umask instead of setting the permissions for the resulting file, making the generated private key world-readable by default.

Recommendations For Shibboleth SP version 2.0, consider modifying the keygen.sh script to properly set the permissions for the generated private key, or manually change the permissions of the sp-key.pm file to prevent it from being world-readable. As a temporary workaround, restrict access to the sp-key.pm file to minimize the risk of exploitation.