Vulnerability Database

317,828

Total vulnerabilities in the database

CVE-2019-19191

Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow.

Published: Nov 21, 2019
Updated: Nov 9, 2025
CVE: CVE-2019-19191
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.8
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.2
AV:L/AC:L/Au:N/C:C/I:C/A:C

CWEs:

CWE-59

Affected Software
References

Software	From	Fixed in
shibboleth / service_provider	3.0.0	3.1.0

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00017.html
https://bugzilla.suse.com/show_bug.cgi?id=1157471
https://issues.shibboleth.net/jira/browse/SSPCPP-874

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo