#VU10777 XXE attack in Shibboleth Service Provider - CVE-2018-0489

Cybersecurity Help s.r.o.

Published: 2018-02-28 | Updated: 2021-03-19

Vulnerability identifier: #VU10777

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-0489

CWE-ID: CWE-611

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Shibboleth Service Provider
Server applications / Directory software, identity management

Vendor: Shibboleth

Description
The vulnerability allows a remote attacker to perform XXE attack.

The vulnerability exists due to an implementation flaw in the XMLTooling library. A remote attacker can add or modify specially crafted XML data, modify digital signatures of user attribute data and impersonate a user or obtain potentially sensitive information.

Mitigation
Update to version 2.6.1.4.

Vulnerable software versions

Shibboleth Service Provider: 2.5.0 - 2.6.0

External links
https://shibboleth.net/community/advisories/secadv_20180227.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

XXE attack in Shibboleth

Debian update for xmltooling