PT-2020-16885 · Shibboleth · Shibboleth Identity Provider

Published

2020-10-28

Updated

2022-02-08

CVE-2020-27978

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Shibboleth Identify Provider versions prior to 3.4.6

Description The issue is a denial of service flaw that allows a remote unauthenticated attacker to cause a login flow to trigger Java heap exhaustion. This occurs due to the creation of objects in the Java Servlet container session.

Recommendations For versions prior to 3.4.6, update to version 3.4.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the login flow to minimize the risk of exploitation.

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

CVE-2020-27978

Affected Products

Shibboleth Identity Provider

PT-2020-16885 · Shibboleth · Shibboleth Identity Provider

CVE-2020-27978

Weakness Enumeration

Related Identifiers

Affected Products

References · 4