All current versions of the Shibboleth 2 IdP are vulnerable to a
cross-site attack during certain error conditions. Such attacks could
allow attackers to phish credentials, steal active session, or otherwise
intercept user/idp communications.
All current versions of the Shibboleth 2 IdP.
Addressing the Issue
Within the Shibboleth IdP distribution bundle (the directory structure
created by expanding the downloaded archive from the shibboleth site)
edit the file 'src/main/webapp/error.jsp' and remove the following lines
(lines 20 - 25 in the default file).