Vulnerability Details CVE-2010-2450
The keygen.sh script in Shibboleth SP 2.0 (located in /usr/local/etc/shibboleth by default) uses OpenSSL to create a DES private key which is placed in sp-key.pm. It relies on the root umask (default 22) instead of chmoding the resulting file itself, so the generated private key is world readable by default.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 37.8%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571631
- https://security-tracker.debian.org/tracker/CVE-2010-2450
- https://todos.internet2.edu/browse/SSPCPP-106
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571631
- https://security-tracker.debian.org/tracker/CVE-2010-2450
- https://todos.internet2.edu/browse/SSPCPP-106
Products affected by CVE-2010-2450
-
cpe:2.3:a:shibboleth:service_provider:2.0
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:debian:debian_linux:9.0