GHSA-j96g-47x2-46hv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j96g-47x2-46hv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j96g-47x2-46hv/GHSA-j96g-47x2-46hv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-j96g-47x2-46hv
- Aliases
- Published
- 2022-05-14T03:15:07Z
- Modified
- 2024-04-25T21:57:34.403604Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- SimpleSAMLphp Session fixation issue and authentication bypass in the authcrypt module
- Details
-
The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.
- Database specific
{ "nvd_published_at": "2017-09-01T13:29:00Z", "cwe_ids": [ "CWE-384" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-04-25T21:36:37Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-12868
- https://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e
- https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12868.yaml
- https://github.com/simplesamlphp/simplesamlphp
- https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html
- https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html
- https://simplesamlphp.org/security/201705-01
Affected packages
Packagist / simplesamlphp/simplesamlphp
Package
- Name
- simplesamlphp/simplesamlphp
- Purl
- pkg:composer/simplesamlphp/simplesamlphp