Shibboleth Service Provider SQL Injection Vulnerability in ODBC Replay Cache

A SQL injection vulnerability has been identified in the Shibboleth Service Provider (SP) ODBC extension, affecting versions through 3.5.0. The vulnerability arises in the 'ID' attribute of the SAML response when the replay cache is stored in an SQL database using the ODBC plugin, which is available in some distributions of Shibboleth SP, particularly on Windows. This flaw allows an unauthenticated attacker to perform blind SQL injection, extracting arbitrary data from the database.

Impact

Exploitation of this vulnerability allows for blind SQL injection, enabling the extraction of arbitrary data from the database used by the Shibboleth Service Provider, if the database connection employs the ODBC plugin.

Remediation

Users are advised to update to Shibboleth Service Provider version 3.5.1 or later. If an update is not possible, migrate off the ODBC storage plugin/extension. After updating, restart the shibd process to apply the changes.