PT-2017-12737 · Uninett+1 · Simplesamlphp+1

Jaime Pérez Crespo

Publicado

2017-09-01

Atualizado

2022-05-14

CVE-2017-12868

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions SimpleSAMLphp versions 1.14.13 and earlier

Description The issue concerns the secureCompare method in SimpleSAMLphp, which can be exploited to conduct session fixation attacks or possibly bypass authentication. This is due to missing character conversions before an XOR operation when used with PHP before version 5.6.

Recommendations For SimpleSAMLphp versions 1.14.13 and earlier, consider updating PHP to version 5.6 or later to mitigate the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Session Fixation

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-384

Identificadores relacionados

CVE-2017-12868

DLA-1205-1

DLA-1408-1

GHSA-J96G-47X2-46HV

Produtos afetados

Php

Simplesamlphp

PT-2017-12737 · Uninett+1 · Simplesamlphp+1

CVE-2017-12868

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 22