CVE-2017-12868
published 2017-09-01CVE-2017-12868: The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct…
critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITW
Exploited in the wild
The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | simplesamlphp | < simplesamlphp 1.14.15-1 (bookworm) | simplesamlphp 1.14.15-1 (bookworm) |
| simplesamlphp | simplesamlphp | <= 1.14.13 | — |
| simplesamlphp | simplesamlphp | >= 0 < 1.14.15-1 | 1.14.15-1 |
| simplesamlphp | simplesamlphp | >= 0 < 1.14.15-1 | 1.14.15-1 |
| simplesamlphp | simplesamlphp | >= 1.14.12 < 1.14.14 | 1.14.14 |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL