CVE-2020-27978

Published: Oct 28, 2020Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw. A remote unauthenticated attacker can cause a login flow to trigger Java heap exhaustion due to the creation of objects in the Java Servlet container session.

Affected (1)

Products: Shibboleth: Identity Provider

Shibboleth

1 product

Identity Provider

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Shibboleth Identity Provider	From 3.0.0 to 3.4.6

Related CWEs

CWE-770

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (2)

https://shibboleth.net/community/advisories/secadv_20191002.txt

Source: cve@mitre.org

Vendor Advisory

https://shibboleth.net/community/advisories/secadv_20191002.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.