{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-11-16T00:00:00", "descriptions": [{"lang": "en", "value": "The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka CPPOST-105."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-02-02T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "DSA-4039", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2017/dsa-4039"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.debian.org/881856"}, {"name": "101898", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/101898"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://git.shibboleth.net/view/?p=cpp-opensaml.git%3Ba=commit%3Bh=6182b0acf2df670e75423c2ed7afe6950ef11c9d"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://shibboleth.net/community/advisories/secadv_20171115.txt"}, {"name": "[debian-lts-announce] 20171118 [SECURITY] [DLA 1178-1] opensaml2 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00024.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-16853", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka CPPOST-105."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "DSA-4039", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2017/dsa-4039"}, {"name": "https://bugs.debian.org/881856", "refsource": "CONFIRM", "url": "https://bugs.debian.org/881856"}, {"name": "101898", "refsource": "BID", "url": "http://www.securityfocus.com/bid/101898"}, {"name": "https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;h=6182b0acf2df670e75423c2ed7afe6950ef11c9d", "refsource": "CONFIRM", "url": "https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;h=6182b0acf2df670e75423c2ed7afe6950ef11c9d"}, {"name": "https://shibboleth.net/community/advisories/secadv_20171115.txt", "refsource": "CONFIRM", "url": "https://shibboleth.net/community/advisories/secadv_20171115.txt"}, {"name": "[debian-lts-announce] 20171118 [SECURITY] [DLA 1178-1] opensaml2 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00024.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T20:35:21.236Z"}, "title": "CVE Program Container", "references": [{"name": "DSA-4039", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2017/dsa-4039"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.debian.org/881856"}, {"name": "101898", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/101898"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://git.shibboleth.net/view/?p=cpp-opensaml.git%3Ba=commit%3Bh=6182b0acf2df670e75423c2ed7afe6950ef11c9d"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://shibboleth.net/community/advisories/secadv_20171115.txt"}, {"name": "[debian-lts-announce] 20171118 [SECURITY] [DLA 1178-1] opensaml2 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00024.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-16853", "datePublished": "2017-11-16T17:00:00", "dateReserved": "2017-11-16T00:00:00", "dateUpdated": "2024-08-05T20:35:21.236Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shibboleth:opensaml:*:*:*:*:*:*:*:*", "matchCriteriaId": "056B1868-F286-400A-AD93-69B15BB90E84", "versionEndExcluding": "2.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka CPPOST-105."}, {"lang": "es", "value": "La clase DynamicMetadataProvider en saml/saml2/metadata/impl/DynamicMetadataProvider.cpp en OpenSAML-C en OpenSAML, en versiones anteriores a la 2.6.1, no se configura correctamente con los plugins MetadataFilter y no realiza las verificaciones de seguridad cr\u00edticas como la verificaci\u00f3n de firmas, cumplimiento de los periodos de validez y otras comprobaciones espec\u00edficas de despliegues. Esta vulnerabilidad tambi\u00e9n se conoce como CPPOST-105."}], "id": "CVE-2017-16853", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-11-16T17:29:00.497", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/101898"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugs.debian.org/881856"}, {"source": "cve@mitre.org", "url": "https://git.shibboleth.net/view/?p=cpp-opensaml.git%3Ba=commit%3Bh=6182b0acf2df670e75423c2ed7afe6950ef11c9d"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00024.html"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://shibboleth.net/community/advisories/secadv_20171115.txt"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://www.debian.org/security/2017/dsa-4039"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/101898"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugs.debian.org/881856"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.shibboleth.net/view/?p=cpp-opensaml.git%3Ba=commit%3Bh=6182b0acf2df670e75423c2ed7afe6950ef11c9d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00024.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://shibboleth.net/community/advisories/secadv_20171115.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://www.debian.org/security/2017/dsa-4039"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "opensaml: The DynamicMetadataProvider class does not perform various security checks", "id": "1518584", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1518584"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-358", "details": ["The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka CPPOST-105."], "name": "CVE-2017-16853", "package_state": [{"cpe": "cpe:/a:redhat:jboss_data_grid:6", "fix_state": "Not affected", "package_name": "opensaml", "product_name": "Red Hat JBoss Data Grid 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Not affected", "package_name": "opensaml", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "opensaml", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "opensaml-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Not affected", "package_name": "opensaml", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Not affected", "package_name": "opensaml", "product_name": "Red Hat JBoss Operations Network 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:6", "fix_state": "Not affected", "package_name": "opensaml", "product_name": "Red Hat JBoss Portal 6"}], "public_date": "2017-11-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-16853\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-16853"], "threat_severity": "Moderate"}