CVE Vulnerabilities

CVE-2017-16853

Improper Verification of Cryptographic Signature

Published: Nov 16, 2017 | Modified: Nov 07, 2023
CVSS 3.x
8.1
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
6.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
6.5 MODERATE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Ubuntu
MEDIUM

The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka CPPOST-105.

Weakness

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Affected Software

Name Vendor Start Version End Version
Opensaml Shibboleth * 2.6.1 (excluding)
Opensaml2 Ubuntu artful *
Opensaml2 Ubuntu trusty *
Opensaml2 Ubuntu upstream *
Opensaml2 Ubuntu xenial *
Opensaml2 Ubuntu zesty *

References