CVE-2017-12868
CRITICAL9.8EPSS 0.76%simplesamlphp - security update
Published: 5/14/2022Modified: 4/28/2026
Description
The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.
Affected packages (3)
- Debian/simplesamlphpfrom 0, < 1.14.15-1
- Debian/simplesamlphpfrom 0, < 1.13.1-2+deb8u2
- Packagist/simplesamlphp/simplesamlphp>= 1.14.12, < 1.14.14
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-12868
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2017-12868
- PATCHhttps://github.com/simplesamlphp/simplesamlphp
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12868.yaml
- WEBhttps://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e
- WEBhttps://lists.debian.org/debian-lts-announce/2017/12/msg00007.html
- WEBhttps://lists.debian.org/debian-lts-announce/2018/06/msg00017.html
- WEBhttps://simplesamlphp.org/security/201705-01