CVE-2016-9814

Name of the Vulnerable Software and Affected Versions SimpleSAMLphp versions prior to 1.14.10 simplesamlphp/saml2 library versions prior to 1.9.1 simplesamlphp/saml2 library 1.10.x versions prior to 1.10.3 simplesamlphp/saml2 library 2.x versions prior to 2.3.3

Description The issue allows remote attackers to spoof SAML responses or possibly cause a denial of service by leveraging improper conversion of return values to boolean in the validateSignature method. This method is part of the SAML2Utils class in SimpleSAMLphp and the simplesamlphp/saml2 library.

Recommendations For SimpleSAMLphp versions prior to 1.14.10, update to version 1.14.10 or later. For simplesamlphp/saml2 library versions prior to 1.9.1, update to version 1.9.1 or later. For simplesamlphp/saml2 library 1.10.x versions prior to 1.10.3, update to version 1.10.3 or later. For simplesamlphp/saml2 library 2.x versions prior to 2.3.3, update to version 2.3.3 or later. As a temporary workaround, consider disabling the validateSignature method until a patch is available.