CVE-2017-12868
CRITICAL IN THE WILDSimpleSAMLphp <1.14.13 - Session Fixation
Title source: llmDescription
The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.
References (4)
Core 4
Core References
Patch, Vendor Advisory x_refsource_confirm
https://simplesamlphp.org/security/201705-01
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html
Scores
CVSS v3
9.8
EPSS
0.0076
EPSS Percentile
73.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
InTheWild.io
2018-11-25
CWE
CWE-384
Status
published
Products (2)
simplesamlphp/simplesamlphp
< 1.14.13
simplesamlphp/simplesamlphp
1.14.12 - 1.14.14Packagist
Published
Sep 01, 2017
Tracked Since
Feb 18, 2026