CVE-2017-12873
Incorrect persistent NameID generation in SimpleSAMLphp
9.8
CRITICAL
CVSS 3.1
EPSS 0.73%
Description
SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.
How to fix CVE-2017-12873
To remediate CVE-2017-12873, upgrade the affected package to a fixed version below.
- —upgrade to 1.14.11-1 or later
- —upgrade to 1.14.11 or later
Is CVE-2017-12873 being exploited?
Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.14.11-1
- >= 1.7.0, < 1.14.11
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (8)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-12873
- ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-12873
- WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12873.yaml
- WEBgithub.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953