CVE-2020-27978
First published: Wed Oct 28 2020(Updated: )
Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw. A remote unauthenticated attacker can cause a login flow to trigger Java heap exhaustion due to the creation of objects in the Java Servlet container session.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Shibboleth Identity Provider | >=3.0.0<3.4.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for Shibboleth Identify Provider?
The vulnerability ID for Shibboleth Identify Provider is CVE-2020-27978.
What is the severity of CVE-2020-27978?
The severity of CVE-2020-27978 is high with a CVSS score of 7.5.
How does CVE-2020-27978 affect Shibboleth Identify Provider?
CVE-2020-27978 is a denial of service flaw that can cause Java heap exhaustion in Shibboleth Identify Provider.
How can a remote unauthenticated attacker exploit CVE-2020-27978?
A remote unauthenticated attacker can exploit CVE-2020-27978 by causing a login flow to trigger Java heap exhaustion.
How can I fix CVE-2020-27978?
To fix CVE-2020-27978, you should upgrade Shibboleth Identify Provider to version 3.4.6 or later.
- collector/nvd-index
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/type
- agent/event
- agent/description
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/shibboleth
- canonical/shibboleth identity provider
- version/shibboleth identity provider/3.0.0