CVE-2017-12868
simplesamlphp - security update
9.8
CRITICAL
CVSS 3.1
EPSS 0.76%
Description
The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.
How to fix CVE-2017-12868
To remediate CVE-2017-12868, upgrade the affected package to a fixed version below.
- —upgrade to 1.14.15-1 or later
- —upgrade to 1.13.1-2+deb8u2 or later
- —upgrade to 1.14.14 or later
Is CVE-2017-12868 being exploited?
Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.14.15-1
- from 0, < 1.13.1-2+deb8u2
- >= 1.14.12, < 1.14.14
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |