CVE-2025-9943

EUVD-2025-27518
An SQL injection vulnerability has been identified in the "ID" attribute of the SAML response when the replay cache of the Shibboleth Service Provider (SP) is configured to use an SQL database as storage service. An unauthenticated attacker can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database, if the database connection is configured to use the ODBC plugin. The vulnerability arises from insufficient escaping of single quotes in the class SQLString (file odbc-store.cpp, lines 253-271).

This issue affects Shibboleth Service Provider through 3.5.0.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA-ADPADP
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 36%
Debian logo
Debian Releases
Debian Product
Codename
shibboleth-sp
bookworm
3.4.1+dfsg-2+deb12u1
fixed
bookworm (security)
3.4.1+dfsg-2+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
3.2.2+dfsg1-1+deb11u1
fixed
forky
3.5.2+dfsg-1
fixed
sid
3.5.2+dfsg-1
fixed
trixie
3.5.0+dfsg-2+deb13u1
fixed
trixie (security)
3.5.0+dfsg-2+deb13u1
fixed
Common Weakness Enumeration
References
https://r.sec-consult.com/shibboleth
https://shibboleth.net/community/advisories/secadv_20250903.txt
https://shibboleth.net/downloads/service-provider/3.5.1/
http://seclists.org/fulldisclosure/2025/Sep/40
https://lists.debian.org/debian-lts-announce/2025/09/msg00015.html