PT-2017-12737 · Uninett+1 · Simplesamlphp+1

Jaime Pérez Crespo

Published

2017-09-01

Updated

2022-05-14

CVE-2017-12868

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions SimpleSAMLphp versions 1.14.13 and earlier

Description The issue concerns the secureCompare method in SimpleSAMLphp, which can be exploited to conduct session fixation attacks or possibly bypass authentication. This is due to missing character conversions before an XOR operation when used with PHP before version 5.6.

Recommendations For SimpleSAMLphp versions 1.14.13 and earlier, consider updating PHP to version 5.6 or later to mitigate the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Session Fixation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-384

Related Identifiers

CVE-2017-12868

DLA-1205-1

DLA-1408-1

GHSA-J96G-47X2-46HV

Affected Products

Php

Simplesamlphp

PT-2017-12737 · Uninett+1 · Simplesamlphp+1

CVE-2017-12868

Weakness Enumeration

Related Identifiers

Affected Products

References · 22