A critical SQL injection vulnerability has been discovered in the Shibboleth Service Provider software, impacting systems that use a SQL database for the SAML replay cache. An attacker can exploit this flaw by sending a specially crafted SAML authentication response, potentially allowing them to take control of the underlying database, bypass security controls, and access sensitive information. Due to its critical severity, immediate patching is strongly recommended to prevent system compromise.

The vulnerability exists within the Shibboleth Service Provider's replay cache functionality. When the replay cache is configured to use a SQL-based storage service, the software fails to properly sanitize the "ID" attribute of an incoming SAML response before using it in a database query. An unauthenticated attacker can craft a malicious SAML response containing SQL commands within the "ID" attribute. When the Service Provider processes this response to check for replays, the embedded SQL commands are executed by the back-end database, leading to a classic SQL injection attack.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Successful exploitation could have a catastrophic impact on the organization's security posture. Since the Shibboleth Service Provider is a core component of authentication and authorization infrastructure, an attacker could potentially bypass authentication mechanisms, escalate privileges, and gain unauthorized access to protected applications and sensitive data. Further risks include data exfiltration, modification, or deletion from the database, and in some configurations, remote code execution on the database server, leading to a complete compromise of the affected systems and a severe breach of data confidentiality and integrity.

Immediate Action: Update An SQL injection vulnerability has been identified in the Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.

Proactive Monitoring:

• Monitor database logs for unusual or malformed SQL queries originating from the Shibboleth Service Provider application. Look for queries that contain nested SELECT statements, UNION operators, or other SQL syntax within the values being checked.
• Review Shibboleth SP logs (e.g., shibd.log) for errors or warnings related to SAML response processing and database connectivity.
• Implement network intrusion detection systems (IDS) or web application firewalls (WAF) with rules to detect and block common SQL injection patterns within SAML assertions sent to the Service Provider endpoints.

Compensating Controls:

• If patching is not immediately possible, consider changing the replay cache storage service from a SQL database to a non-SQL alternative, such as the default in-memory storage, if your architecture permits.
• Implement a Web Application Firewall (WAF) with robust SQL injection filtering rules specifically for the SAML endpoints.
• Ensure the database account used by the Shibboleth SP has the minimum necessary privileges (least privilege principle), restricting its ability to read sensitive tables or execute system-level commands.

Public Exploit Available: false

Given the critical CVSS score of 9.1 and the vulnerability's location within a critical authentication component, we recommend that organizations treat this as a high-priority threat. The remediation plan should be executed immediately. All internet-facing Shibboleth Service Provider instances should be identified and patched first. Although this CVE is not currently on the CISA KEV list, its severity makes it a likely candidate for future inclusion, and it should be addressed with the utmost urgency.