-----Original Message----- From: announce <announce-bounces(a)shibboleth.net> On Behalf Of Cantor, Scott via announce Sent: Thursday, March 30, 2023 5:29 PM To: announce(a)shibboleth.net Subject: Shibboleth Identity Provider Security Advisory [30 March 2023] Shibboleth Identity Provider Security Advisory [30 March 2023] Regression in RemoteUser login flow could lead to impersonation =============================================================== A regression was introduced into the RemoteUser login flow in the Shibboleth Identity Provider software allowing the use of a fixed header name to supply the REMOTE_USER value to use. In the absence of an actual REMOTE_USER variable or any configured servlet request attributes, the code would fall back to using a "fixed" header variable name instead of honoring the configured set of headers to look at. Given that this would be immediately obvious while using the software (since it would be unable to obtain a value to use and fail), it is unlikely this would escape notice, but there is the theoretical chance of an unguarded header being accepted as the identity. Deployments that do not make use of this login flow are unaffected (despite the fact that the servlet containing the regression is generally active by default). Affected Versions ================= Version 4.3.0 only of the Identity Provider, when using the RemoteUser login flow, either directly, or indirectly via the MFA login flow feature. Recommendations =============== Upgrade to Identity Provider V4.3.1 or later. References ========== URL for this Security Advisory http://shibboleth.net/community/advisories/secadv_20230330.txt Credits ======= Tero Marttila, Funidata Oy