Shibboleth Service Provider -- SQL injection vulnerability in ODBC plugin

Internet2 reports:

The Shibboleth Service Provider includes a storage API usable for a number of different use cases such as the session cache, replay cache, and relay state management. An ODBC extension plugin is provided with some distributions of the software (notably on Windows).

A SQL injection vulnerability was identified in some of the queries issued by the plugin, and this can be creatively exploited through specially crafted inputs to exfiltrate information stored in the database used by the SP.

[source]