Security Alerts - Shibboleth Service Provider Security Advisory [22 June 2021]
Header smuggling allows for impersonation under IIS 7+
This issue affects all the SP on windows since V3.0.0 when the IIS 7+ module is used.
An updated version of the Service Provider software is now available which corrects a critical header smuggling/spoofing vulnerability on Windows when using IIS.
Update to V22.214.171.124 or later of the Service Provider software, which is now available. This a Windows-only update to the V3.2.2 release containing the fixed IIS module.
See the Release Notes: https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes
View the Official Security Advisory: