Improper File Permissions in Shibboleth Service Provider by Shibboleth Consortium
CVE-2019-19191

7.8HIGH

Key Information:

Vendor

Shibboleth

Status
Service Provider
Vendor
CVE Published:
21 November 2019

What is CVE-2019-19191?

The Shibboleth Service Provider (SP) versions prior to 3.1.0 contain a vulnerability that allows users with access to the service to escalate their privileges. This is achieved by exploiting a configuration flaw that enables the service user account to change file ownership of sensitive files, including system files like /etc/shadow, through symlink manipulation. A malicious actor could gain unauthorized access to these files, posing a significant security risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://issues.shibboleth.net/jira/browse/SSPCPP-874
x_refsource_MISC
https://bugzilla.suse.com/show_bug.cgi?id=1157471
x_refsource_MISC
http://lists.opensuse.org/opensuse-security-announce/2020...
vendor-advisoryx_refsource_SUSE

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.