Skip to content

Create CVE-2025-9943.yaml #14308

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tk-t0n0y wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Create CVE-2025-9943.yaml #14308

tk-t0n0y wants to merge 2 commits into from
+62 −0

Conversation

@tk-t0n0y
Copy link

@tk-t0n0y tk-t0n0y commented Dec 9, 2025
edited
Loading

Template validation

  • Validated with a host running a vulnerable version and/or configuration (True Positive)
  • Validated with a host running a patched version and/or configuration (avoid False Positive)

Additional Details

Vulnerability Overview:
The vulnerability exists in Shibboleth Service Provider 3.5.0 and earlier when the replay cache is configured to use an SQL database via the ODBC plugin. Insufficient escaping of single quotes in the SQLString class allows for blind SQL injection through the ID attribute of SAML responses.

Detection Method:
The template uses a two-request approach to detect the vulnerability:

  1. First request sends a SAML response with SQL injection payload in the ID attribute
  2. Second request replays the same payload to trigger replay detection
  3. If the SQL injection succeeds, the server responds with "Rejecting replayed message ID" and HTTP 500 status

Template Features:

  • Dynamic UTC timestamp generation using date_time() helper to satisfy SAML time window requirements
  • Boolean-based blind SQL injection payload: ID="\' OR 1=1 -- -"
  • Proper URL encoding and Base64 encoding of SAML XML payload
  • Consistent ID across both requests using variables

Affected Systems:

  • Shibboleth Service Provider ≤ 3.5.0
  • Only when configured with ODBC StorageService for ReplayCache
  • Fixed in version 3.5.1

CVSS Score: 9.8 (Critical)
CWE: CWE-89 (SQL Injection)

Note: This template is crafted based on the proof-of-concept from SEC Consult's security advisory. Testing on actual vulnerable systems is recommended before merge.

@github-actions github-actions bot requested a review from theamanrawat December 9, 2025 18:01
@pussycat0x pussycat0x added the Status: In Progress This issue is being worked on, and has someone assigned. label Dec 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@theamanrawat theamanrawat Awaiting requested review from theamanrawat

Assignees

@pussycat0x pussycat0x

Labels

Status: In Progress This issue is being worked on, and has someone assigned.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tk-t0n0y @pussycat0x