CVE-2017-12868

CRITICAL IN THE WILD

SimpleSAMLphp <1.14.13 - Session Fixation

Title source: llm

Exploitation Summary

CVE-2017-12868 has been observed exploited in the wild (reported by InTheWild.io).

Description

The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.

References (4)

Core 4

Core References

Patch, Vendor Advisory x_refsource_confirm

https://simplesamlphp.org/security/201705-01

Mailing List mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html

Issue Tracking, Patch, Third Party Advisory x_refsource_confirm

https://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e

View Patch ZIP pw:eip

Mailing List mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html

Scores

CVSS v3 9.8

EPSS 0.0213

EPSS Percentile 79.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

InTheWild.io 2018-11-25

CWE

CWE-384

Status published

Products (2)

simplesamlphp/simplesamlphp < 1.14.13

simplesamlphp/simplesamlphp 1.14.12 - 1.14.14Packagist

Published Sep 01, 2017

Tracked Since Feb 18, 2026