CVE-2017-18122

Name of the Vulnerable Software and Affected Versions: SimpleSAMLphp versions prior to 1.14.17

Description: A signature-validation bypass issue was discovered in SimpleSAMLphp. This issue allows an attacker to impersonate any user of any IdP given an assertion signed by the targeted IdP, by sending an unsigned SAML response containing more than one signed assertion. The attributes contained in all the assertions received will be merged and the entityID of the first assertion received will be used.

Recommendations: For SimpleSAMLphp versions prior to 1.14.17, update to version 1.14.17 or later to resolve the issue. As a temporary workaround, consider disabling SAML 1.1 support in the SimpleSAMLphp Service Provider until a patch is available. Restrict access to the SAML response processing module to minimize the risk of exploitation. Avoid using unsigned SAML responses in the affected API endpoint until the issue is resolved.