| Date | Title | Affects | Severity | CVE |
|---|
| 2018-02-27 | Shibboleth SP software vulnerable to additional data forgery flaws | SP w/ xmltooling < 1.6.4 | critical | CVE-2018-0489 |
| 2018-01-23 | Implications of ROBOT TLS vulnerability | All | high |
|
| 2018-01-12 | Shibboleth SP software vulnerable to forged user attribute data | SP w/ Xerces-C < 3.1.4 AND xmltooling < 1.6.3 | critical | CVE-2018-0486 |
| 2017-11-15 | Dynamic MetadataProvider fails to install security filters | SP < 2.6.1 | critical |
|
| 2016-06-29 | Apache Xerces-C XML Parser Crashes on Malformed DTD | SP w/ Xerces-C < 3.1.4 | medium | CVE-2016-4463 |
| 2016-05-04 | Shibboleth SP software <PathRegex> feature implemented incorrectly | SP (all released versions) | high |
|
| 2016-02-25 | Apache Xerces-C XML Parser Crashes on Malformed Input | SP w/ Xerces-C < 3.1.3 | high | CVE-2016-0729 |
| 2015-07-21 | Shibboleth SP software crashes on well-formed but invalid XML | SP w/ xmltooling < 1.5.5, libsaml < 2.5.5 | medium | CVE-2015-2684 |
| 2015-03-19 | Shibboleth SP software crashes on malformed input messages | SP < 2.5.4, Xerces-C < 3.1.2 | medium | CVE-2015-0252 |
| 2015-02-25 | Identity Provider and OpenSAML-J PKIX Trust Engines Exhibit Critical Flaw In Trusted Names Evaluation | IDP < 2.4.4, OpenSAML-J < 2.6.5 | high |
|
| 2014-11-03 | Xerces-J XML Parser Vulnerable to Denial of Service | IDP with Xerces endorsed | medium | CVE-2013-4002 |
| 2014-09-19 | Shibboleth Identity Provider and OpenSAML-J HTTPS and LDAPS Connections Do Not Perform Proper Hostname Verification | IDP < 2.4.2, OpenSAML-J < 2.6.3 | high | CVE-2014-3604 CVE-2014-3607 |
| 2014-08-13 | HTTPS Connections Via HTTP Resources Do Not Perform Hostname Verification | IDP < 2.4.1, OpenSAML-J < 2.6.2 | medium | CVE-2014-3603 |
| 2014-06-08 | OpenSSL MITM issue | SP with any affected OpenSSL version, IDP w/ OpenSSL 1.0.1 - 1.0.1g | high | CVE-2014-0224 |
| 2014-04-09 | OpenSSL "Heartbleed" vulnerability | SP or IDP w/ OpenSSL 1.0.1 - 1.0.1f | very high | CVE-2014-0160 |
| 2013-12-15 | OpenSAML Java ParserPool and Decrypter Vulnerable To XML Attacks | OpenSAML-J < 2.6.1 | medium |
|
| 2013-12-02 | Curl library skips TLS server certificate name checking | SP w/ libcurl between 7.18.0 and 7.33.0 | low | CVE-2013-4545 |
| 2013-06-18 | Shibboleth SP heap overflow processing InclusiveNamespace PrefixList | SP w/ libxml-security-c < 1.7.1 | high | CVE-2013-2156 |
| 2013-04-17 | Identity Provider HTTP-based Metadata Providers did not perform hostname verification | IDP < 2.4.0 | medium |
|
| 2013-04-17 | Identity Provider issue In Metadata Providers with 'disregardSslCertificate' option | IDP < 2.4.0 | medium |
|
| 2013-01-10 | Shibboleth SP software crashes on malformed IdP History Cookie | SP w/ libsaml 2.5.0 or 2.5.1 | low |
|
| 2012-04-19 | OpenSSL ASN1 BIO vulnerability | SP w/ openssl < 1.0.0i | high | CVE-2012-2110 |
| 2012-02-27 | Identity Provider LDAPS Connections Do Not Perform Hostname Verification | IDP < 2.3.6 | high |
|
| 2011-10-24 | Use of XML Encryption Vulnerable to Chosen Ciphertext Attacks | SP and IdP, all versions | medium |
|
| 2011-07-25 | OpenSAML software is vulnerable to XML Signature wrapping attacks | IDP < 2.3.2
SP w/ libsaml < 2.4.3 | high | CVE-2011-1411 |
| 2011-07-18 | Multi-Session Information Leakage | IDP >= 2.1 | medium |
|
| 2011-07-06 | Shibboleth SP software crashes on large signing/encryption keys | SP w/ libxml-security-c < 1.6.1 | high | CVE-2011-2516 |
| 2011-05-16 | Velocity templates vulnerable to XSS (cross-site scripting) injection | IDP < 2.3.0 | high |
|
| 2011-01-13 | Shibboleth IdP 2.X Single TransientID Mapped to Multiple Principals | IDP < 2.2.1 | high |
|
| 2009-11-04 | Shibboleth software improperly handles malformed URLs | IDP < 2.1.5
SP < 2.3 | high | CVE-2009-3300 |
| 2009-08-26 | Shibboleth SP software improperly handles malformed URLs | SP w/ libxmltooling < 1.2.2 | high |
|
| 2009-08-17 | Shibboleth SP software improperly evaluates KeyDescriptors | SP < 2.2.1 | low |
|
| 2009-08-17 | Shibboleth SP software improperly handles certificate names | SP < 2.2.1 or w/ libcurl < 7.19.6 | high |
|
| 2009-06-19 | Potential Access to Sensitive Information when Clustering Shibboleth 2.X IdPs | IDP, all versions w/ Terracotta | medium |
|
| 2009-06-15 | Shibboleth SP software on IIS vulnerable to header spoofing | SP < 2.2 w/ IIS, but seeĀ this | high |
|
| 2009-02-24 | Shibboleth IdP 2.X cross-site request attack | IDP < 2.2.0 | high |
|
| 2008-11-03 | Shibboleth IdP 2.0 UsernamePassword Login Handler Vulnerable to Cross-site Request Attack | IDP < 2.1.0 | high |
|