Source: shibboleth-sp Version: 3.4.1+dfsg-2 Severity: grave Tags: upstream patch security fixed-upstream Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-1014
Shibboleth Service Provider Security Advisory [3 September 2025] An updated version of the Shibboleth Service Provider is available to correct a SQL injection vulnerability in the ODBC StorageService extension shipped with some distributions of the software. The vulnerability is moderate to high severity for anyone using the ODBC plugin, and of no impact for others. SQL injection vulnerability in Service Provider ODBC plugin =========================================================== The Shibboleth Service Provider includes a storage API usable for a number of different use cases such as the session cache, replay cache, and relay state management. An ODBC extension plugin is provided with some distributions of the software (notably on Windows). A SQL injection vulnerability was identified in some of the queries issued by the plugin, and this can be creatively exploited through specially crafted inputs to exfiltrate information stored in the database used by the SP. Recommendations =============== Update to V3.5.1 (or later) of the Shibboleth Service Provider, or if you cannot, then migrate off of the ODBC storage plugin/extension. Restarting the shibd process is sufficient to apply the change, as the affected code runs only within that process. Credits ======= SEC Consult Vulnerability Lab Florian Stuhlmann URL for this Security Advisory: https://shibboleth.net/community/advisories/secadv_20250903.txt
