CVE-2019-3465 — simplesamlphp - security update

Description

Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message.

How to fix CVE-2019-3465

To remediate CVE-2019-3465, upgrade the affected package to a fixed version below.

—upgrade to 1.17.6-2 or later
—upgrade to 1.13.1-2+deb8u3 or later
—upgrade to 1.14.11-1+deb9u2 or later
—upgrade to 3.0.4 or later

Is CVE-2019-3465 being exploited?

Low — EPSS is 1.9%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 1.17.6-2
from 0, < 1.13.1-2+deb8u3
from 0, < 1.14.11-1+deb9u2
>= 3.0.0, < 3.0.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (18)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-3465
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-3465
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/robrichards/xmlseclibs/CVE-2019-3465.yaml
WEBgithub.com/robrichards/xmlseclibs/commit/0a53d3c3aa87564910cae4ed01416441d3ae0db5