CVE-2017-12868

Published: Sep 1, 2017Modified: May 13, 2026

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.

Affected (1)

Products: Simplesamlphp: Simplesamlphp

1 product

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Simplesamlphp Simplesamlphp	Up to 1.14.13

Running on/with	Platform Versions
Php Php	Up to 5.5.38

Related CWEs

Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

References (8)

https://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e

Source: cve@mitre.org

Issue TrackingPatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html

Source: cve@mitre.org

https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html

Source: cve@mitre.org

https://simplesamlphp.org/security/201705-01

Source: cve@mitre.org

PatchVendor Advisory

https://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://simplesamlphp.org/security/201705-01

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.