This is the advisory page for Identity Provider V3 releases. For the older V2 IdP or Service Provider advisories, refer to the V2 SecurityAdvisories page.

For IdP V4 advisories, please see the V4 SecurityAdvisories page.

As a courtesy, you can also find Jetty advisories at https://www.eclipse.org/jetty/security-reports.html and Tomcat advisories at http://tomcat.apache.org/security.html

This page provides access to the complete history of Security Advisories released for the Shibboleth V3 Identity Provider and an "at a glance" table showing you which releases are vulnerable to what kinds of issues. If you're running a particular version, you can use this table to identify the issues that could affect your system and determine how urgent an upgrade is. In addition to the announce mailing list, you can "watch" this page for changes to keep abreast.

You can determine the exact version you're running based on the process log during startup.

If you would like to report an issue you believe is security related, please drop an e-mail to security@shibboleth.net

As always, sites are advised to use the latest stable release of any Shibboleth product. Refer to the ProductVersioning page for information about our support and versioning policies. The Home page identifies the specific versions recommended at a given point in time

This page only covers advisories affecting the V3 Identity Provider software. Other advisories are not listed here, but you can find the complete set of advisories in this directory.

Obviously not all vulnerabilities are created equal, and the classifications in the matrices are general in nature, and are meant to point you to the relevant advisories to look into.

A particular version will typically be implicated by any advisories noted for it and for any newer versions above it in the tables.

Advisories noted for "All" versions should be reviewed by all deployers for relevancy to their deployment. Typically this indicates that an advisory is at least partly discussing issues that go beyond the scope of what the Shibboleth software can actually remediate and may affect the deployment as a whole. It does not in general refer to unfixed vulnerabilities in the Shibboleth software itself.

Identity Provider Vulnerability Matrix

The oldest IdP 3 version unaffected by fixable vulnerabilities is 3.4.6.

Version	EOL	User Data Exposure	User Data Accuracy	Session Hijacking	Denial of Service	Remote Exploit	Advisories
All		X	X			X	2018-01-23, 2017-05-18
3.4.8	Dec 31, 2020
3.4.7	Dec 2020
3.4.6	Jul 2020
3.4.5	Oct 2019	X	X		X	X	2019-10-02
3.4.4	Sep 2019	X	X		X	X	2019-09-18
3.4.3	May 2019	X	X		X	X
3.4.2	Jan 2019	X	X		X	X
3.4.1	Dec 2018	X		X	X		2018-12-19
3.4.0	Nov 2018	X	X	X	X
3.3.3	Oct 2018	X	X	X	X
3.3.2	May 2018	X	X	X	X		2018-05-16
3.3.1	Oct 2017	X	X	X	X		2017-10-04
3.3.0	Mar 2017	X		X	X		2017-03-15
3.2.1	Nov 2016		X	X	X		2016-10-27
3.2.0	Dec 2015		X	X	X
3.1.2	Nov 2015		X	X	X
3.1.1	Jul 2015		X	X	X
3.1.0	Mar 2015		X	X	X		2015-03-26
3.0.0	Mar 2015		X	X	X

Advisory List

Date	Title	Affects	Severity
2019-10-02	Denial of service via External authentication flows	IDP < 3.4.6	low
2019-09-18	Improper exposure of pairwise identifiers to relying parties	IDP < 3.4.5	moderate
2018-12-19	Shibboleth IdP Vulnerable to Untrusted Relying Party Access Via CAS Proxy	IDP < 3.4.2	moderate
2018-05-16	Vulnerable to information disclosure via CAS protocol	IDP < 3.3.0	high
2018-01-23	Implications of ROBOT TLS vulnerability	All	high
2017-10-04	LDAP Data Connector insecure when using default JVM trust	IDP < 3.3.2	high
2017-05-18	Default Kerberos configurations are unsafe	All	high
2017-03-15	Design flaw can result in second-factor authentication bypass	IDP < 3.3.1	high
2016-10-27	Collision in LDAP Data Connector result set cache	IDP >= 3.0.0, < 3.3.0	critical
2015-03-26	Interrupted HTTP Connections Lead to Denial of Service	IdP >= 3.0.0, < 3.1.1	high