CVE-2017-12874

HIGH

SimpleSAMLphp InfoCard Module < 1.0.1 - XML Signature Validation Spoofing

Title source: llm
STIX 2.1

Description

The InfoCard module 1.0 for SimpleSAMLphp allows attackers to spoof XML messages by leveraging an incorrect check of return values in signature validation utilities.

References (3)

Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://simplesamlphp.org/security/201612-03
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4127

Scores

CVSS v3 7.5
EPSS 0.0126
EPSS Percentile 66.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-20
Status published
Products (5)
debian/debian_linux 7.0
debian/debian_linux 8.0
debian/debian_linux 9.0
simplesamlphp/infocard_module 1.0
simplesamlphp/simplesamlphp-module-infocard 0 - 1.0.1Packagist
Published Sep 01, 2017
Tracked Since Feb 18, 2026