CVE-2017-12868
CRITICAL9.8EPSS 0.76%SimpleSAMLphp Session fixation issue and authentication bypass in the authcrypt module
發布日:2022/5/14修改日:2026/4/28
描述
The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.
受影響套件(3)
- Debian/simplesamlphpfrom 0, < 1.14.15-1
- Debian/simplesamlphpfrom 0, < 1.13.1-2+deb8u2
- Packagist/simplesamlphp/simplesamlphp>= 1.14.12, < 1.14.14
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-12868
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2017-12868
- PATCHhttps://github.com/simplesamlphp/simplesamlphp
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12868.yaml
- WEBhttps://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e
- WEBhttps://lists.debian.org/debian-lts-announce/2017/12/msg00007.html
- WEBhttps://lists.debian.org/debian-lts-announce/2018/06/msg00017.html
- WEBhttps://simplesamlphp.org/security/201705-01