{"url":"http://public2.vulnerablecode.io/api/packages/516130?format=json","purl":"pkg:deb/debian/shibboleth-sp@1.3.1.dfsg1-3%2Blenny2","type":"deb","namespace":"debian","name":"shibboleth-sp","version":"1.3.1.dfsg1-3+lenny2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.4.1+dfsg-2+deb12u1","latest_non_vulnerable_version":"3.4.1+dfsg-2+deb12u1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/96862?format=json","vulnerability_id":"VCID-1nsb-vhvj-3fg4","summary":"OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-3474","reference_id":"","reference_type":"","scores":[{"value":"0.01289","scoring_system":"epss","scoring_elements":"0.79996","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01289","scoring_system":"epss","scoring_elements":"0.80021","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01289","scoring_system":"epss","scoring_elements":"0.80026","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01289","scoring_system":"epss","scoring_elements":"0.8002","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01289","scoring_system":"epss","scoring_elements":"0.8001","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01289","scoring_system":"epss","scoring_elements":"0.8003","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-3474"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3474","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3474"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516131?format=json","purl":"pkg:deb/debian/shibboleth-sp@3.0.4%2Bdfsg1-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-qh7w-keht-9bd5"},{"vulnerability":"VCID-ssce-bxkv-kbft"},{"vulnerability":"VCID-suez-nq67-4ua7"},{"vulnerability":"VCID-yfz7-4q52-57e1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shibboleth-sp@3.0.4%252Bdfsg1-1%252Bdeb10u2"}],"aliases":["CVE-2009-3474"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1nsb-vhvj-3fg4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/96865?format=json","vulnerability_id":"VCID-66rs-k837-x7au","summary":"Buffer overflow in OpenSAML before 1.1.3 as used in Internet2 Shibboleth Service Provider software 1.3.x before 1.3.4, and XMLTooling before 1.2.2 as used in Internet2 Shibboleth Service Provider software 2.x before 2.2.1, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed encoded URL.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-3476","reference_id":"","reference_type":"","scores":[{"value":"0.01755","scoring_system":"epss","scoring_elements":"0.82928","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01755","scoring_system":"epss","scoring_elements":"0.82955","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01755","scoring_system":"epss","scoring_elements":"0.82951","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01755","scoring_system":"epss","scoring_elements":"0.82942","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-3476"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3476","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3476"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516131?format=json","purl":"pkg:deb/debian/shibboleth-sp@3.0.4%2Bdfsg1-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-qh7w-keht-9bd5"},{"vulnerability":"VCID-ssce-bxkv-kbft"},{"vulnerability":"VCID-suez-nq67-4ua7"},{"vulnerability":"VCID-yfz7-4q52-57e1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shibboleth-sp@3.0.4%252Bdfsg1-1%252Bdeb10u2"}],"aliases":["CVE-2009-3476"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-66rs-k837-x7au"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/96863?format=json","vulnerability_id":"VCID-d8q2-cta1-bkb7","summary":"Internet2 Shibboleth Service Provider software 1.3.x before 1.3.3 and 2.x before 2.2.1, when using PKIX trust validation, does not properly handle a '\\0' character in the subject or subjectAltName fields of a certificate, which allows remote man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-3475","reference_id":"","reference_type":"","scores":[{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58458","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58505","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58513","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58506","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58492","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58507","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-3475"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3475","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3475"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516131?format=json","purl":"pkg:deb/debian/shibboleth-sp@3.0.4%2Bdfsg1-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-qh7w-keht-9bd5"},{"vulnerability":"VCID-ssce-bxkv-kbft"},{"vulnerability":"VCID-suez-nq67-4ua7"},{"vulnerability":"VCID-yfz7-4q52-57e1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shibboleth-sp@3.0.4%252Bdfsg1-1%252Bdeb10u2"}],"aliases":["CVE-2009-3475"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d8q2-cta1-bkb7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/100899?format=json","vulnerability_id":"VCID-dayu-1rzf-bqen","summary":"Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2 Middleware Initiative Shibboleth allow remote attackers to inject arbitrary web script or HTML via URLs that are encountered in redirections, and appear in automatically generated forms.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-3300","reference_id":"","reference_type":"","scores":[{"value":"0.0032","scoring_system":"epss","scoring_elements":"0.55332","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0032","scoring_system":"epss","scoring_elements":"0.55388","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0032","scoring_system":"epss","scoring_elements":"0.55393","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0032","scoring_system":"epss","scoring_elements":"0.55382","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0032","scoring_system":"epss","scoring_elements":"0.55362","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0032","scoring_system":"epss","scoring_elements":"0.55381","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-3300"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3300","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3300"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516131?format=json","purl":"pkg:deb/debian/shibboleth-sp@3.0.4%2Bdfsg1-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-qh7w-keht-9bd5"},{"vulnerability":"VCID-ssce-bxkv-kbft"},{"vulnerability":"VCID-suez-nq67-4ua7"},{"vulnerability":"VCID-yfz7-4q52-57e1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shibboleth-sp@3.0.4%252Bdfsg1-1%252Bdeb10u2"}],"aliases":["CVE-2009-3300"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dayu-1rzf-bqen"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/100902?format=json","vulnerability_id":"VCID-qh7w-keht-9bd5","summary":"Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-28963","reference_id":"","reference_type":"","scores":[{"value":"0.00488","scoring_system":"epss","scoring_elements":"0.65828","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00488","scoring_system":"epss","scoring_elements":"0.65881","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00488","scoring_system":"epss","scoring_elements":"0.65893","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00488","scoring_system":"epss","scoring_elements":"0.65879","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00488","scoring_system":"epss","scoring_elements":"0.65868","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00488","scoring_system":"epss","scoring_elements":"0.65887","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-28963"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28963","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28963"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985405","reference_id":"985405","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985405"},{"reference_url":"https://usn.ubuntu.com/4925-1/","reference_id":"USN-4925-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4925-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516131?format=json","purl":"pkg:deb/debian/shibboleth-sp@3.0.4%2Bdfsg1-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-qh7w-keht-9bd5"},{"vulnerability":"VCID-ssce-bxkv-kbft"},{"vulnerability":"VCID-suez-nq67-4ua7"},{"vulnerability":"VCID-yfz7-4q52-57e1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shibboleth-sp@3.0.4%252Bdfsg1-1%252Bdeb10u2"},{"url":"http://public2.vulnerablecode.io/api/packages/599555?format=json","purl":"pkg:deb/debian/shibboleth-sp@3.2.2%2Bdfsg1-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-suez-nq67-4ua7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shibboleth-sp@3.2.2%252Bdfsg1-1"}],"aliases":["CVE-2021-28963"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qh7w-keht-9bd5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/100901?format=json","vulnerability_id":"VCID-ssce-bxkv-kbft","summary":"Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file that calls chown on files in a directory controlled by the service user (the shibd account) after installation. This allows the user to escalate to root by pointing symlinks to files such as /etc/shadow.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19191","reference_id":"","reference_type":"","scores":[{"value":"0.00172","scoring_system":"epss","scoring_elements":"0.3827","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00172","scoring_system":"epss","scoring_elements":"0.38222","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00172","scoring_system":"epss","scoring_elements":"0.38267","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00172","scoring_system":"epss","scoring_elements":"0.38178","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00172","scoring_system":"epss","scoring_elements":"0.38242","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00172","scoring_system":"epss","scoring_elements":"0.38213","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19191"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19191","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19191"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/599555?format=json","purl":"pkg:deb/debian/shibboleth-sp@3.2.2%2Bdfsg1-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-suez-nq67-4ua7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shibboleth-sp@3.2.2%252Bdfsg1-1"}],"aliases":["CVE-2019-19191"],"risk_score":2.1,"exploitability":"0.5","weighted_severity":"4.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ssce-bxkv-kbft"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/100905?format=json","vulnerability_id":"VCID-suez-nq67-4ua7","summary":"An SQL injection vulnerability has been identified in the \"ID\" attribute of the SAML response when the replay cache of the Shibboleth Service Provider (SP) is configured to use an SQL database as storage service. An unauthenticated attacker can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database, if the database connection is configured to use the ODBC plugin. The vulnerability arises from insufficient escaping of single quotes in the class SQLString (file odbc-store.cpp, lines 253-271).  This issue affects Shibboleth Service Provider through 3.5.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-9943","reference_id":"","reference_type":"","scores":[{"value":"0.00231","scoring_system":"epss","scoring_elements":"0.46061","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49358","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49346","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49376","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49394","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-9943"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9943","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9943"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114506","reference_id":"1114506","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1114506"},{"reference_url":"https://shibboleth.net/downloads/service-provider/3.5.1/","reference_id":"3.5.1","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-09-10T19:37:58Z/"}],"url":"https://shibboleth.net/downloads/service-provider/3.5.1/"},{"reference_url":"https://shibboleth.net/community/advisories/secadv_20250903.txt","reference_id":"secadv_20250903.txt","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-09-10T19:37:58Z/"}],"url":"https://shibboleth.net/community/advisories/secadv_20250903.txt"},{"reference_url":"https://r.sec-consult.com/shibboleth","reference_id":"shibboleth","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-09-10T19:37:58Z/"}],"url":"https://r.sec-consult.com/shibboleth"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/708753?format=json","purl":"pkg:deb/debian/shibboleth-sp@3.4.1%2Bdfsg-2%2Bdeb12u1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shibboleth-sp@3.4.1%252Bdfsg-2%252Bdeb12u1"}],"aliases":["CVE-2025-9943"],"risk_score":2.2,"exploitability":"0.5","weighted_severity":"4.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-suez-nq67-4ua7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/100903?format=json","vulnerability_id":"VCID-yfz7-4q52-57e1","summary":"Shibboleth Service Provider 3.x before 3.2.2 is prone to a NULL pointer dereference flaw involving the session recovery feature. The flaw is exploitable (for a daemon crash) on systems not using this feature if a crafted cookie is supplied.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-31826","reference_id":"","reference_type":"","scores":[{"value":"0.01478","scoring_system":"epss","scoring_elements":"0.81315","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01478","scoring_system":"epss","scoring_elements":"0.81342","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01478","scoring_system":"epss","scoring_elements":"0.81344","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01478","scoring_system":"epss","scoring_elements":"0.81338","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01478","scoring_system":"epss","scoring_elements":"0.81355","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-31826"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31826","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31826"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987608","reference_id":"987608","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987608"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516131?format=json","purl":"pkg:deb/debian/shibboleth-sp@3.0.4%2Bdfsg1-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-qh7w-keht-9bd5"},{"vulnerability":"VCID-ssce-bxkv-kbft"},{"vulnerability":"VCID-suez-nq67-4ua7"},{"vulnerability":"VCID-yfz7-4q52-57e1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shibboleth-sp@3.0.4%252Bdfsg1-1%252Bdeb10u2"},{"url":"http://public2.vulnerablecode.io/api/packages/599555?format=json","purl":"pkg:deb/debian/shibboleth-sp@3.2.2%2Bdfsg1-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-suez-nq67-4ua7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shibboleth-sp@3.2.2%252Bdfsg1-1"}],"aliases":["CVE-2021-31826"],"risk_score":1.5,"exploitability":"0.5","weighted_severity":"3.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yfz7-4q52-57e1"}],"fixing_vulnerabilities":[],"risk_score":"2.2","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/shibboleth-sp@1.3.1.dfsg1-3%252Blenny2"}