CVE-2016-9814
published 2017-02-17CVE-2016-9814: The validateSignature method in the SAML2\Utils class in SimpleSAMLphp before 1.14.10 and simplesamlphp/saml2 library before 1.9.1, 1.10.x before 1.10.3, and…
critical9.1CVSS 3.0
AVNACLPRNUINSUCNIHAH
The validateSignature method in the SAML2\Utils class in SimpleSAMLphp before 1.14.10 and simplesamlphp/saml2 library before 1.9.1, 1.10.x before 1.10.3, and 2.x before 2.3.3 allows remote attackers to spoof SAML responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cairographics | cairo | >= 0 < 1.14.6-1ubuntu0.1~esm1 | 1.14.6-1ubuntu0.1~esm1 |
| debian | simplesamlphp | < simplesamlphp 1.14.10-1 (bookworm) | simplesamlphp 1.14.10-1 (bookworm) |
| simplesamlphp | saml2 | <= 1.9 | — |
| simplesamlphp | saml2 | — | — |
| simplesamlphp | saml2 | — | — |
| simplesamlphp | saml2 | — | — |
| simplesamlphp | saml2 | — | — |
| simplesamlphp | saml2 | — | — |
| simplesamlphp | saml2 | — | — |
| simplesamlphp | saml2 | — | — |
| simplesamlphp | saml2 | — | — |
| simplesamlphp | saml2 | — | — |
| simplesamlphp | saml2 | — | — |
| simplesamlphp | saml2 | >= 0 < 1.8.1 | 1.8.1 |
| simplesamlphp | saml2 | >= 1.10 < 1.10.3 | 1.10.3 |
| simplesamlphp | saml2 | >= 1.9.0 < 1.9.1 | 1.9.1 |
| simplesamlphp | saml2 | >= 2.0 < 2.3.3 | 2.3.3 |
| simplesamlphp | simplesamlphp | <= 1.14.9 | — |
| simplesamlphp | simplesamlphp | — | — |
| simplesamlphp | simplesamlphp | >= 0 < 1.14.10-1 | 1.14.10-1 |
| simplesamlphp | simplesamlphp | >= 0 < 1.14.10-1 | 1.14.10-1 |
CVSS provenance
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
osv9.1CRITICAL