PT-2019-6543 · Openssl+1 · Openssl+1

Dominic Hargreaves

Published

2019-11-07

Updated

2019-11-13

CVE-2010-2450

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions Shibboleth SP version 2.0

Description The keygen.sh script in Shibboleth SP uses OpenSSL to create a DES private key, which is placed in sp-key.pm. This script relies on the root umask instead of setting the permissions for the resulting file, making the generated private key world-readable by default.

Recommendations For Shibboleth SP version 2.0, consider modifying the keygen.sh script to properly set the permissions for the generated private key, or manually change the permissions of the sp-key.pm file to prevent it from being world-readable. As a temporary workaround, restrict access to the sp-key.pm file to minimize the risk of exploitation.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-916CWE-200

Related Identifiers

CVE-2010-2450

Affected Products

Openssl

Shibboleth-Sp

PT-2019-6543 · Openssl+1 · Openssl+1

CVE-2010-2450

Weakness Enumeration

Related Identifiers

Affected Products

References · 5