Описание
The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| simplesamlphp | fixed | 1.14.15-1 | package | |
| simplesamlphp | not-affected | stretch | package |
Примечания
https://simplesamlphp.org/security/201705-01
Patch: https://github.com/simplesamlphp/simplesamlphp/commit/caf764cc2c9b68ac29741070ebdf133a595443f1
EPSS
Связанные уязвимости
The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.
The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.
SimpleSAMLphp Session fixation issue and authentication bypass in the authcrypt module
EPSS