CVE-2017-12868

Опубликовано: 01 сент. 2017

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.

Ссылки

https://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e
Issue Tracking
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html
https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html
https://simplesamlphp.org/security/201705-01
Patch
Vendor Advisory
https://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e
Issue Tracking
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html
https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html
https://simplesamlphp.org/security/201705-01
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:simplesamlphp:simplesamlphp:*:*:*:*:*:*:*:*

Версия до 1.14.13 (включая)

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

Версия до 5.5.38 (включая)

EPSS

Процентиль: 72%

0.00764

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-384

Связанные уязвимости

CVE-2017-12868

CVSS3: 9.8

ubuntu

почти 8 лет назад

CVE-2017-12868

CVSS3: 9.8

debian

почти 8 лет назад

The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleS ...

GHSA-j96g-47x2-46hv

CVSS3: 9.8

github

около 3 лет назад

SimpleSAMLphp Session fixation issue and authentication bypass in the authcrypt module

EPSS

Процентиль: 72%

0.00764

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-384