Vulnerability Details CVE-2020-27978
Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw. A remote unauthenticated attacker can cause a login flow to trigger Java heap exhaustion due to the creation of objects in the Java Servlet container session.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.007
EPSS Ranking 70.6%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
Products affected by CVE-2020-27978
-
cpe:2.3:a:shibboleth:identity_provider:3.0.0
-
cpe:2.3:a:shibboleth:identity_provider:3.0.0.11
-
cpe:2.3:a:shibboleth:identity_provider:3.1.0
-
cpe:2.3:a:shibboleth:identity_provider:3.1.1
-
cpe:2.3:a:shibboleth:identity_provider:3.1.1.2
-
cpe:2.3:a:shibboleth:identity_provider:3.1.2
-
cpe:2.3:a:shibboleth:identity_provider:3.2.0
-
cpe:2.3:a:shibboleth:identity_provider:3.2.1
-
cpe:2.3:a:shibboleth:identity_provider:3.2.1.1
-
cpe:2.3:a:shibboleth:identity_provider:3.3.0
-
cpe:2.3:a:shibboleth:identity_provider:3.3.1
-
cpe:2.3:a:shibboleth:identity_provider:3.3.1.1
-
cpe:2.3:a:shibboleth:identity_provider:3.3.2
-
cpe:2.3:a:shibboleth:identity_provider:3.3.3
-
cpe:2.3:a:shibboleth:identity_provider:3.3.3.1
-
cpe:2.3:a:shibboleth:identity_provider:3.4.0
-
cpe:2.3:a:shibboleth:identity_provider:3.4.1
-
cpe:2.3:a:shibboleth:identity_provider:3.4.2
-
cpe:2.3:a:shibboleth:identity_provider:3.4.3
-
cpe:2.3:a:shibboleth:identity_provider:3.4.4
-
cpe:2.3:a:shibboleth:identity_provider:3.4.5