Ferenc Wágner

**Name of the Vulnerable Software and Affected Versions** Shibboleth Service Provider versions 3.x through 3.2.1 **Description** The issue involves a NULL pointer dereference flaw in the session recovery feature of the Shibboleth Service Provider. This flaw can be exploited to cause a daemon crash on systems not using the session recovery feature by supplying a crafted cookie. The exploitation of this flaw can allow a remote attacker to cause a denial of service. **Recommendations** For Shibboleth Service Provider versions 3.x through 3.2.1, update to version 3.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the session recovery feature until a patch is available.