CVE-2017-12868
Published: 1 September 2017
The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.
Priority
Status
Package | Release | Status |
---|---|---|
simplesamlphp Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(1.14.15-1)
|
bionic |
Not vulnerable
(1.14.15-1)
|
|
cosmic |
Not vulnerable
(1.14.15-1)
|
|
disco |
Not vulnerable
(1.14.15-1)
|
|
eoan |
Not vulnerable
(1.14.15-1)
|
|
focal |
Not vulnerable
(1.14.15-1)
|
|
groovy |
Not vulnerable
(1.14.15-1)
|
|
hirsute |
Not vulnerable
(1.14.15-1)
|
|
impish |
Not vulnerable
(1.14.15-1)
|
|
jammy |
Not vulnerable
(1.14.15-1)
|
|
kinetic |
Not vulnerable
(1.14.15-1)
|
|
lunar |
Not vulnerable
(1.14.15-1)
|
|
mantic |
Not vulnerable
(1.14.15-1)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Released
(1.14.15-1)
|
|
xenial |
Needed
|
|
zesty |
Ignored
(end of life)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |