Dominic Hargreaves

**Name of the Vulnerable Software and Affected Versions** Shibboleth SP version 2.0 **Description** The keygen.sh script in Shibboleth SP uses OpenSSL to create a DES private key, which is placed in sp-key.pm. This script relies on the root umask instead of setting the permissions for the resulting file, making the generated private key world-readable by default. **Recommendations** For Shibboleth SP version 2.0, consider modifying the keygen.sh script to properly set the permissions for the generated private key, or manually change the permissions of the sp-key.pm file to prevent it from being world-readable. As a temporary workaround, restrict access to the sp-key.pm file to minimize the risk of exploitation.