Bug#1114506: shibboleth-sp: SQL injection vulnerability in Service Provider ODBC plugin
Ferenc Wágner
wferi at debian.org
Sat Sep 6 10:36:55 BST 2025
Source: shibboleth-sp
Version: 3.4.1+dfsg-2
Severity: grave
Tags: upstream patch security fixed-upstream
Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-1014
Shibboleth Service Provider Security Advisory [3 September 2025]
An updated version of the Shibboleth Service Provider is available
to correct a SQL injection vulnerability in the ODBC StorageService
extension shipped with some distributions of the software.
The vulnerability is moderate to high severity for anyone using
the ODBC plugin, and of no impact for others.
SQL injection vulnerability in Service Provider ODBC plugin
===========================================================
The Shibboleth Service Provider includes a storage API usable
for a number of different use cases such as the session cache,
replay cache, and relay state management. An ODBC extension
plugin is provided with some distributions of the software
(notably on Windows).
A SQL injection vulnerability was identified in some of the
queries issued by the plugin, and this can be creatively
exploited through specially crafted inputs to exfiltrate
information stored in the database used by the SP.
Recommendations
===============
Update to V3.5.1 (or later) of the Shibboleth Service Provider,
or if you cannot, then migrate off of the ODBC storage
plugin/extension.
Restarting the shibd process is sufficient to apply the change,
as the affected code runs only within that process.
Credits
=======
SEC Consult Vulnerability Lab
Florian Stuhlmann
URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20250903.txt
More information about the Pkg-shibboleth-devel
mailing list