CVE-2016-9955

MEDIUM

SimpleSAMLphp < 1.14.11 - Signature Spoofing and Denial of Service via XML Validator

Title source: llm
STIX 2.1

Description

The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean.

References (3)

Core 3
Core References
Vendor Advisory x_refsource_confirm
https://simplesamlphp.org/security/201612-02
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/94946
Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html

Scores

CVSS v3 6.3
EPSS 0.0119
EPSS Percentile 64.2%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

Details

CWE
CWE-20
Status published
Products (3)
debian/debian_linux 7.0
simplesamlphp/simplesamlphp < 1.14.11
simplesamlphp/simplesamlphp 0 - 1.14.11Packagist
Published Feb 17, 2017
Tracked Since Feb 18, 2026