{"id":"CVE-2021-31826","details":"Shibboleth Service Provider 3.x before 3.2.2 is prone to a NULL pointer dereference flaw involving the session recovery feature. The flaw is exploitable (for a daemon crash) on systems not using this feature if a crafted cookie is supplied.","modified":"2026-03-15T22:40:37.045603Z","published":"2021-04-27T04:15:08.550Z","references":[{"type":"WEB","url":"https://git.shibboleth.net/view/?p=cpp-sp.git%3Ba=commit%3Bh=5a47c3b9378f4c49392dd4d15189b70956f9f2ec"},{"type":"ADVISORY","url":"https://shibboleth.net/community/advisories/secadv_20210426.txt"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4905"},{"type":"ADVISORY","url":"https://bugs.debian.org/987608"},{"type":"FIX","url":"https://issues.shibboleth.net/jira/browse/SSPCPP-927"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"3.0.0"},{"fixed":"3.2.2"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31826.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}