CVE-2025-9943
📋 TL;DR
An SQL injection vulnerability in Shibboleth Service Provider allows unauthenticated attackers to extract arbitrary data from the database when using ODBC-based replay cache storage. This affects all Shibboleth SP versions through 3.5.0 configured with SQL database replay cache. Attackers can perform blind SQL injection via the SAML response ID attribute.
💻 Affected Systems
- Shibboleth Service Provider
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including authentication credentials, user data, and potentially lateral movement to connected systems
Likely Case
Extraction of sensitive user information, session data, and authentication tokens from the Shibboleth database
If Mitigated
Limited data exposure if database permissions are restricted and network segmentation is in place
🎯 Exploit Status
Blind SQL injection via SAML response requires understanding of SAML protocol but tools exist for automation
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.1
Vendor Advisory: https://shibboleth.net/community/advisories/secadv_20250903.txt
Restart Required: Yes
Instructions:
1. Download Shibboleth SP 3.5.1 from https://shibboleth.net/downloads/service-provider/3.5.1/ 2. Stop Shibboleth service 3. Install the update 4. Restart Shibboleth service
🔧 Temporary Workarounds
Switch to in-memory replay cache
allChange replay cache configuration from SQL database to in-memory storage
Edit shibboleth2.xml: change <ReplayCache type="ODBC" ...> to <ReplayCache type="Memory" ...>
Restrict database permissions
allLimit database user permissions to only necessary operations
REVOKE ALL PRIVILEGES ON shibboleth.* FROM 'shibuser'@'%';
GRANT SELECT, INSERT, DELETE ON shibboleth.replay_cache TO 'shibuser'@'%';
🧯 If You Can't Patch
- Implement WAF rules to block SQL injection patterns in SAML responses
- Network segmentation to restrict access to Shibboleth endpoints and database
🔍 How to Verify
Check if Vulnerable:
Check if using Shibboleth SP ≤3.5.0 with ODBC replay cache configuration in shibboleth2.xmlCheck Version:
shibd -vVerify Fix Applied:
Verify version is 3.5.1 or higher and check odbc-store.cpp for proper single quote escaping📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in Shibboleth logs
- Multiple failed SAML responses with crafted ID attributes
- Database connection errors from Shibboleth process
Network Indicators:
- SAML responses with SQL injection patterns in ID attribute
- Unusual database queries from Shibboleth host
SIEM Query:
source="shibboleth.log" AND ("SQL" OR "database" OR "ODBC") AND ("error" OR "failed" OR "exception")