Main Vulnerability Database Vulnerabilities #VU6418

Information disclosure in Shibboleth authentication - #VU6418

Published: May 4, 2017

Vulnerability identifier: #VU6418

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Shibboleth

Affected software:
Shibboleth authentication

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an error within session management functionality combined with internal caching mechanism. The web application does not properly performs the logout procedure when the shib session expires, which depending on the caching mechanism makes private data public.

A remote attacker can gain access to potentially sensitive information of other website users.

Remediation

Update to version 7.x-4.4.

Sources

https://www.drupal.org/node/2875366

Information disclosure in Shibboleth authentication - #VU6418

Detailed vulnerability description

Remediation

Sources

Please verify you're human