Description
The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.x through 1.14.11 makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first 16 bytes of the secret key as the initialization vector (IV).
References (2)
Core 2
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://simplesamlphp.org/security/201703-02
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/simplesamlphp/simplesamlphp/commit/77df6a932d46daa35e364925eb73a175010dc904
Scores
CVSS v3
5.9
EPSS
0.0008
EPSS Percentile
23.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-326
Status
published
Products (13)
simplesamlphp/simplesamlphp
1.14.0
simplesamlphp/simplesamlphp
1.14.1
simplesamlphp/simplesamlphp
1.14.2
simplesamlphp/simplesamlphp
1.14.3
simplesamlphp/simplesamlphp
1.14.4
simplesamlphp/simplesamlphp
1.14.5
simplesamlphp/simplesamlphp
1.14.6
simplesamlphp/simplesamlphp
1.14.7
simplesamlphp/simplesamlphp
1.14.8
simplesamlphp/simplesamlphp
1.14.9
... and 3 more
Published
Sep 01, 2017
Tracked Since
Feb 18, 2026