Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qOTZnLTQ3eDItNDZods4AAWrb
SimpleSAMLphp Session fixation issue and authentication bypass in the authcrypt module
The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.
Permalink: https://github.com/advisories/GHSA-j96g-47x2-46hvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qOTZnLTQ3eDItNDZods4AAWrb
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: 13 days ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-j96g-47x2-46hv, CVE-2017-12868
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-12868
- https://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e
- https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html
- https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html
- https://simplesamlphp.org/security/201705-01
- https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12868.yaml
- https://github.com/advisories/GHSA-j96g-47x2-46hv
Blast Radius: 24.5
Affected Packages
packagist:simplesamlphp/simplesamlphp
Dependent packages: 166Dependent repositories: 318
Downloads: 8,398,572 total
Affected Version Ranges: >= 1.14.12, < 1.14.14
Fixed in: 1.14.14
All affected versions: 1.14.12, 1.14.13
All unaffected versions: 1.12.0, 1.13.0, 1.13.1, 1.13.2, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.14.4, 1.14.5, 1.14.6, 1.14.7, 1.14.8, 1.14.9, 1.14.10, 1.14.11, 1.14.14, 1.14.15, 1.14.16, 1.14.17, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.15.4, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.17.1, 1.17.2, 1.17.3, 1.17.4, 1.17.5, 1.17.6, 1.17.7, 1.17.8, 1.18.0, 1.18.1, 1.18.2, 1.18.3, 1.18.4, 1.18.5, 1.18.6, 1.18.7, 1.18.8, 1.18.9, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.19.4, 1.19.5, 1.19.6, 1.19.7, 1.19.8, 1.19.9, 2.0.0, 2.0.1, 2.0.2, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.0, 2.2.1, 2.2.2, 99.99.99