CVE-2017-12873
CRITICAL9.8EPSS 0.73%Incorrect persistent NameID generation in SimpleSAMLphp
Published: 1/24/2020Modified: 4/28/2026
Description
SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.
Affected packages (2)
- Debian/simplesamlphpfrom 0, < 1.14.11-1
- Packagist/simplesamlphp/simplesamlphp>= 1.7.0, < 1.14.11
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-12873
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2017-12873
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12873.yaml
- WEBhttps://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953
- WEBhttps://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-gp2m-7cfp-h6gf
- WEBhttps://lists.debian.org/debian-lts-announce/2017/12/msg00007.html
- WEBhttps://simplesamlphp.org/security/201612-04
- WEBhttps://www.debian.org/security/2018/dsa-4127