Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS13dzN3LTU5MmotNXFyd84AAZbs

SimpleSAMLphp Incorrect IV generation for encryption

The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.x through 1.14.11 makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first 16 bytes of the secret key as the initialization vector (IV).

Permalink: https://github.com/advisories/GHSA-ww3w-592j-5qrw
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13dzN3LTU5MmotNXFyd84AAZbs
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 10 days ago

CVSS Score: 5.9
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-ww3w-592j-5qrw, CVE-2017-12871
References:

Repository: https://github.com/simplesamlphp/simplesamlphp
Blast Radius: 14.8

Affected Packages

packagist:simplesamlphp/simplesamlphp

Dependent packages: 163
Dependent repositories: 318
Downloads: 8,344,492 total
Affected Version Ranges: >= 1.14.0, < 1.14.12
Fixed in: 1.14.12
All affected versions: 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.14.5, 1.14.6, 1.14.7, 1.14.8, 1.14.9, 1.14.10, 1.14.11
All unaffected versions: 1.12.0, 1.13.0, 1.13.1, 1.13.2, 1.14.12, 1.14.13, 1.14.14, 1.14.15, 1.14.16, 1.14.17, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.15.4, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 1.17.4, 1.17.5, 1.17.6, 1.17.7, 1.17.8, 1.18.0, 1.18.1, 1.18.2, 1.18.3, 1.18.4, 1.18.5, 1.18.6, 1.18.7, 1.18.8, 1.18.9, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.19.4, 1.19.5, 1.19.6, 1.19.7, 1.19.8, 1.19.9, 2.0.0, 2.0.1, 2.0.2, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.0, 2.2.1, 2.2.2, 99.99.99