CVE-2025-9943

NameCVE-2025-9943
DescriptionAn SQL injection vulnerability has been identified in the "ID" attribute of the SAML response when the replay cache of the Shibboleth Service Provider (SP) is configured to use an SQL database as storage service. An unauthenticated attacker can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database, if the database connection is configured to use the ODBC plugin. The vulnerability arises from insufficient escaping of single quotes in the class SQLString (file odbc-store.cpp, lines 253-271). This issue affects Shibboleth Service Provider through 3.5.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5994-1
Debian Bugs1114506

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
shibboleth-sp (PTS)bullseye3.2.2+dfsg1-1vulnerable
bookworm3.4.1+dfsg-2vulnerable
bookworm (security)3.4.1+dfsg-2+deb12u1fixed
trixie3.5.0+dfsg-2vulnerable
trixie (security)3.5.0+dfsg-2+deb13u1fixed
forky, sid3.5.1+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
shibboleth-spsourcebookworm3.4.1+dfsg-2+deb12u1DSA-5994-1
shibboleth-spsourcetrixie3.5.0+dfsg-2+deb13u1DSA-5994-1
shibboleth-spsource(unstable)3.5.1+dfsg-11114506

Notes

https://issues.shibboleth.net/jira/browse/SSPCPP-1014
https://shibboleth.net/community/advisories/secadv_20250903.txt
Search for package or bug name: Reporting problems