cvelistv5 - CVE-2017-12873

CVE-2017-12873 (GCVE-0-2017-12873)

Vulnerability from cvelistv5 – Published: 2017-09-01 21:00 – Updated: 2024-08-05 18:51

Summary

SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://github.com/simplesamlphp/simplesamlphp/co…	x_refsource_CONFIRM
	https://lists.debian.org/debian-lts-announce/2017…	mailing-listx_refsource_MLIST
	https://simplesamlphp.org/security/201612-04	x_refsource_CONFIRM
	https://www.debian.org/security/2018/dsa-4127	vendor-advisoryx_refsource_DEBIAN

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T18:51:06.659Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953"
          },
          {
            "name": "[debian-lts-announce] 20171212 [SECURITY] [DLA 1205-1] simplesamlphp security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://simplesamlphp.org/security/201612-04"
          },
          {
            "name": "DSA-4127",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2018/dsa-4127"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-12-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-03-03T10:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953"
        },
        {
          "name": "[debian-lts-announce] 20171212 [SECURITY] [DLA 1205-1] simplesamlphp security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://simplesamlphp.org/security/201612-04"
        },
        {
          "name": "DSA-4127",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2018/dsa-4127"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-12873",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953",
              "refsource": "CONFIRM",
              "url": "https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953"
            },
            {
              "name": "[debian-lts-announce] 20171212 [SECURITY] [DLA 1205-1] simplesamlphp security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html"
            },
            {
              "name": "https://simplesamlphp.org/security/201612-04",
              "refsource": "CONFIRM",
              "url": "https://simplesamlphp.org/security/201612-04"
            },
            {
              "name": "DSA-4127",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2018/dsa-4127"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-12873",
    "datePublished": "2017-09-01T21:00:00",
    "dateReserved": "2017-08-15T00:00:00",
    "dateUpdated": "2024-08-05T18:51:06.659Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:simplesamlphp:simplesamlphp:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.7.0\", \"versionEndIncluding\": \"1.14.10\", \"matchCriteriaId\": \"1F513BAE-A775-44DF-980A-1CEA3A25CA35\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"16F59A04-14CF-49E2-9973-645477EA09DA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.\"}, {\"lang\": \"es\", \"value\": \"SimpleSAMLphp 1.7.0 hasta la versi\\u00f3n 1.14.10 permite que los atacantes obtengan informaci\\u00f3n sensible, consigan acceso sin autorizaci\\u00f3n o provoquen cualquier otro impacto sin especificar aprovechando la incorrecta generaci\\u00f3n persistente de NameID cuando no se configura correctamente un Identity Provider (IdP).\"}]",
      "id": "CVE-2017-12873",
      "lastModified": "2024-11-21T03:10:21.110",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2017-09-01T21:29:00.593",
      "references": "[{\"url\": \"https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953\", \"source\": \"cve@mitre.org\", \"tags\": [\"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://simplesamlphp.org/security/201612-04\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://www.debian.org/security/2018/dsa-4127\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://simplesamlphp.org/security/201612-04\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://www.debian.org/security/2018/dsa-4127\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-384\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2017-12873\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2017-09-01T21:29:00.593\",\"lastModified\":\"2025-04-20T01:37:25.860\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.\"},{\"lang\":\"es\",\"value\":\"SimpleSAMLphp 1.7.0 hasta la versi\u00f3n 1.14.10 permite que los atacantes obtengan informaci\u00f3n sensible, consigan acceso sin autorizaci\u00f3n o provoquen cualquier otro impacto sin especificar aprovechando la incorrecta generaci\u00f3n persistente de NameID cuando no se configura correctamente un Identity Provider (IdP).\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-384\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:simplesamlphp:simplesamlphp:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.7.0\",\"versionEndIncluding\":\"1.14.10\",\"matchCriteriaId\":\"1F513BAE-A775-44DF-980A-1CEA3A25CA35\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"16F59A04-14CF-49E2-9973-645477EA09DA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]}],\"references\":[{\"url\":\"https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://simplesamlphp.org/security/201612-04\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://www.debian.org/security/2018/dsa-4127\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://simplesamlphp.org/security/201612-04\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://www.debian.org/security/2018/dsa-4127\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

GSD-2017-12873

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2017-12873

Aliases

CVE-2017-12873

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-12873",
    "description": "SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.",
    "id": "GSD-2017-12873",
    "references": [
      "https://www.debian.org/security/2018/dsa-4127"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-12873"
      ],
      "details": "SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.",
      "id": "GSD-2017-12873",
      "modified": "2023-12-13T01:21:03.713964Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2017-12873",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953",
            "refsource": "CONFIRM",
            "url": "https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953"
          },
          {
            "name": "[debian-lts-announce] 20171212 [SECURITY] [DLA 1205-1] simplesamlphp security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html"
          },
          {
            "name": "https://simplesamlphp.org/security/201612-04",
            "refsource": "CONFIRM",
            "url": "https://simplesamlphp.org/security/201612-04"
          },
          {
            "name": "DSA-4127",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2018/dsa-4127"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=1.7.0,\u003c=1.14.10",
          "affected_versions": "All versions starting from 1.7.0 up to 1.14.10",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-384",
            "CWE-937"
          ],
          "date": "2019-10-03",
          "description": "SimpleSAMLphp might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.",
          "fixed_versions": [
            "1.14.11"
          ],
          "identifier": "CVE-2017-12873",
          "identifiers": [
            "CVE-2017-12873"
          ],
          "not_impacted": "All versions before 1.7.0, all versions after 1.14.10",
          "package_slug": "packagist/simplesamlphp/simplesamlphp",
          "pubdate": "2017-09-01",
          "solution": "Upgrade to version 1.14.11 or above.",
          "title": "Session Fixation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2017-12873",
            "https://simplesamlphp.org/security/201612-04"
          ],
          "uuid": "392e3298-70af-4a00-8ae4-448e22b2c638"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:simplesamlphp:simplesamlphp:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.14.10",
                "versionStartIncluding": "1.7.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-12873"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-384"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://simplesamlphp.org/security/201612-04",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://simplesamlphp.org/security/201612-04"
            },
            {
              "name": "https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953",
              "refsource": "CONFIRM",
              "tags": [
                "Issue Tracking",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953"
            },
            {
              "name": "[debian-lts-announce] 20171212 [SECURITY] [DLA 1205-1] simplesamlphp security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html"
            },
            {
              "name": "DSA-4127",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.debian.org/security/2018/dsa-4127"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2019-10-03T00:03Z",
      "publishedDate": "2017-09-01T21:29Z"
    }
  }
}

CNVD-2017-31287

Vulnerability from cnvd - Published: 2017-10-24

Title

SimpleSAMLphp不正确认证漏洞

Description

SimpleSAMLphp是一套实现了SAML 2.0服务提供者和标识提供者功能的PHP身份验证应用程序。 SimpleSAMLphp 1.7.0版本至1.14.10版本中存在安全漏洞。攻击者可利用该漏洞获取敏感信息并获取未授权的访问权限。

Severity

高

Patch Name

SimpleSAMLphp不正确认证漏洞的补丁

Patch Description

SimpleSAMLphp是一套实现了SAML 2.0服务提供者和标识提供者功能的PHP身份验证应用程序。 SimpleSAMLphp 1.7.0版本至1.14.10版本中存在安全漏洞。攻击者可利用该漏洞获取敏感信息并获取未授权的访问权限。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://simplesamlphp.org/security/201612-04

Reference

https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953

Impacted products

Name
SimpleSAMLphp simpleSAMLphp 1.7.0;1.14.10

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-12873",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873"
    }
  },
  "description": "SimpleSAMLphp\u662f\u4e00\u5957\u5b9e\u73b0\u4e86SAML 2.0\u670d\u52a1\u63d0\u4f9b\u8005\u548c\u6807\u8bc6\u63d0\u4f9b\u8005\u529f\u80fd\u7684PHP\u8eab\u4efd\u9a8c\u8bc1\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nSimpleSAMLphp 1.7.0\u7248\u672c\u81f31.14.10\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u5e76\u83b7\u53d6\u672a\u6388\u6743\u7684\u8bbf\u95ee\u6743\u9650\u3002",
  "discovererName": "SimpleSAMLphp",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://simplesamlphp.org/security/201612-04",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-31287",
  "openTime": "2017-10-24",
  "patchDescription": "SimpleSAMLphp\u662f\u4e00\u5957\u5b9e\u73b0\u4e86SAML 2.0\u670d\u52a1\u63d0\u4f9b\u8005\u548c\u6807\u8bc6\u63d0\u4f9b\u8005\u529f\u80fd\u7684PHP\u8eab\u4efd\u9a8c\u8bc1\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nSimpleSAMLphp 1.7.0\u7248\u672c\u81f31.14.10\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u5e76\u83b7\u53d6\u672a\u6388\u6743\u7684\u8bbf\u95ee\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SimpleSAMLphp\u4e0d\u6b63\u786e\u8ba4\u8bc1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "SimpleSAMLphp simpleSAMLphp 1.7.0;1.14.10"
  },
  "referenceLink": "https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953",
  "serverity": "\u9ad8",
  "submitTime": "2017-09-06",
  "title": "SimpleSAMLphp\u4e0d\u6b63\u786e\u8ba4\u8bc1\u6f0f\u6d1e"
}

GHSA-GP2M-7CFP-H6GF

Vulnerability from github – Published: 2020-01-24 21:28 – Updated: 2024-02-07 18:42

Summary

Incorrect persistent NameID generation in SimpleSAMLphp

Details

Background

When a SimpleSAMLphp Identity Provider is misconfigured, a bug in the software when trying to build a persistent NameID to univocally identify the authenticating subject could cause different users to get the same identifier generated, depending on the attributes available for them right after authentication.

Please note that even though this is possible thanks to a bug, an IdP must be misconfigured to release persistent NameIDs even if it is not properly configured to generate them based on the specifics of the deployment.

Description

Persistent NameIDs will typically be sent as part of the Subject element of a SAML assertion, or as the contents of the eduPersonTargetedID attribute. Here is an example of such a NameID:

<NameID Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:persistent“>
    zbonsm0Yn9Gnw14uQEEPr6AO7d+IvxwCQN3t+o24jYs=
</NameID>

Some service providers will use this information to identify a user across sessions because a persistent NameID will never change for a given user. This could lead to different users accessing the same account in those service providers.

In order to be affected by this issue, the following circumstances must concur:

SimpleSAMLphp acts as an identity provider.
The service provider asking for authentication requests a persistent NameID.
No saml:PersistentNameID authentication processing filter is configured (neither for the whole IdP, nor for a given SP).
No simplesaml.nameidattribute configuration option is set (neither for the whole IdP, nor for a given SP).
One of the following alternatives:
No userid.attribute configuration option is set and the users don't have an eduPersonPrincipalName attribute in the users backend, or
the userid.attribute configuration option is set to an empty or missing attribute.

If all these requirements are met, the SimpleSAML_Auth_ProcessingChain class will try to keep a unique user identifier in the state array (addUserID() method). Bear in mind that this code is executed before all the authentication processing filters configured, meaning that only those attributes retrieved for the user during initial authentication will be available. If no userid.attribute configuration option is set, the default eduPersonPrincipalName will then be used. However, since it is missing, no identifier will be kept. Alternatively, if userid.attribute is set to a missing or empty attribute, the addUserID() method will abort trying to register an identifier.

After executing all authentication processing filters, SimpleSAMLphp will build a SAML assertion. If the service provider requests persistent NameIDs, SimpleSAMLphp will attempt to generate one given that none is already available (because the saml:PersistentNameID filter was not used). At this point, the code will look for the simplesaml.nameidattribute configuration option in either the local IdP metadata or in the remote SP metadata. If none of them are configured, it will default to the unique user identifier previously registered by SimpleSAML_Auth_ProcessingChain. If no identifier was kept there, the code will log an error message:

Unable to generate NameID. Check the userid.attribute option.

However, instead of aborting the NameID generation at that point, it will go on and use a value missing from the state array as the source for the computation, meaning the null type will be used. Hence, all users connecting to a given service provider will get the same NameID generated, because all the input parameters will be the same:

The SP's entity identifier.
The IdP's entity identifier.
The null value.
The common secret salt from the main configuration.

Affected versions

All SimpleSAMLphp versions between 1.7.0 and 1.14.10, inclusive.

Impact

Those identity providers affected by this bug and misconfigured as previously described could be issuing SAML assertions with common NameIDs for all or a subset of their users. If a service provider uses those NameIDs to identify the users of the affected IdP, all the users will be associated with the same user account at the service provider, causing all sorts of potential security issues like information disclosure or unauthorized access.

While we can consider this unlikely to happen, some cases have been already observed. In particular, some identity providers using default configurations and consuming metadata automatically (i.e. using the metarefresh module) while using a user backend like Active Directory that does not populate eduPersonPrincipalName are particularly sensitive to this issue.

Resolution

Upgrade to the latest version.

Configure a saml:PersistentNameID authentication processing filter according to your needs. Remember to check that the attribute used as the source for the NameID is present at the moment the saml:PersistentNameID filter is executed. The attribute used must be unique per user, and must not change over time.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "simplesamlphp/simplesamlphp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.0"
            },
            {
              "fixed": "1.14.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-12873"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-01-24T21:24:46Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Background\nWhen a SimpleSAMLphp Identity Provider is misconfigured, a bug in the software when trying to build a persistent `NameID` to univocally identify the authenticating subject could cause different users to get the same identifier generated, depending on the attributes available for them right after authentication.\n\nPlease note that even though this is possible thanks to a bug, **an IdP must be misconfigured** to release persistent `NameID`s even if it is not properly configured to generate them based on the specifics of the deployment.\n\n### Description\nPersistent `NameID`s will typically be sent as part of the `Subject` element of a SAML assertion, or as the contents of the `eduPersonTargetedID` attribute. Here is an example of such a `NameID`:\n\n    \u003cNameID Format=\u201curn:oasis:names:tc:SAML:2.0:nameid-format:persistent\u201c\u003e\n        zbonsm0Yn9Gnw14uQEEPr6AO7d+IvxwCQN3t+o24jYs=\n    \u003c/NameID\u003e\n\nSome service providers will use this information to identify a user across sessions because a persistent `NameID` will never change for a given user. This could lead to different users accessing the same account in those service providers.\n\nIn order to be affected by this issue, the following circumstances must concur:\n\n- SimpleSAMLphp acts as an identity provider.\n- The service provider asking for authentication requests a persistent `NameID`.\n- No `saml:PersistentNameID` authentication processing filter is configured (neither for the whole IdP, nor for a given SP).\n- No `simplesaml.nameidattribute` configuration option is set (neither for the whole IdP, nor for a given SP).\n- One of the following alternatives:\n  - No `userid.attribute` configuration option is set **and** the users don\u0027t have an `eduPersonPrincipalName` attribute in the users backend, **or**\n  - the `userid.attribute` configuration option is set to an empty or missing attribute.\n\nIf all these requirements are met, the `SimpleSAML_Auth_ProcessingChain` class will try to keep a unique user identifier in the state array (`addUserID()` method). Bear in mind that this code is executed **before** all the authentication processing filters configured, meaning that only those attributes retrieved for the user during **initial authentication** will be available. If no `userid.attribute` configuration option is set, the default `eduPersonPrincipalName` will then be used. However, since it is missing, no identifier will be kept. Alternatively, if `userid.attribute` is set to a missing or empty attribute, the `addUserID()` method will abort trying to register an identifier.\n\nAfter executing all authentication processing filters, SimpleSAMLphp will build a SAML assertion. If the service provider requests persistent `NameID`s, SimpleSAMLphp will attempt to generate one given that none is already available (because the `saml:PersistentNameID` filter was not used). At this point, the code will look for the `simplesaml.nameidattribute` configuration option in either the local IdP metadata or in the remote SP metadata. If none of them are configured, it will default to the unique user identifier previously registered by `SimpleSAML_Auth_ProcessingChain`. If no identifier was kept there, the code will log an error message:\n\n    Unable to generate NameID. Check the userid.attribute option.\n\nHowever, instead of aborting the `NameID` generation at that point, it will go on and use a value missing from the state array as the source for the computation, meaning the `null` type will be used. Hence, all users connecting to a given service provider will get the same `NameID` generated, because all the input parameters will be the same:\n\n- The SP\u0027s entity identifier.\n- The IdP\u0027s entity identifier.\n- The `null` value.\n- The common secret salt from the main configuration.\n\n### Affected versions\nAll SimpleSAMLphp versions between 1.7.0 and 1.14.10, inclusive.\n\n### Impact\nThose identity providers affected by this bug and misconfigured as previously described could be issuing SAML assertions with common `NameID`s for all or a subset of their users. If a service provider uses those `NameID`s to identify the users of the affected IdP, all the users will be associated with the same user account at the service provider, causing all sorts of potential security issues like information disclosure or unauthorized access.\n\nWhile we can consider this unlikely to happen, some cases have been already observed. In particular, some identity providers using default configurations and consuming metadata automatically (i.e. using the _metarefresh_ module) while using a user backend like _Active Directory_ that does not populate `eduPersonPrincipalName` are particularly sensitive to this issue.\n\n### Resolution\nUpgrade to the latest version.\n\nConfigure a `saml:PersistentNameID` authentication processing filter according to your needs. Remember to check that **the attribute used as the source** for the `NameID` **is present at the moment the `saml:PersistentNameID` filter is executed**. The attribute used must be **unique** per user, and **must not change** over time.",
  "id": "GHSA-gp2m-7cfp-h6gf",
  "modified": "2024-02-07T18:42:34Z",
  "published": "2020-01-24T21:28:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-gp2m-7cfp-h6gf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12873"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12873.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://simplesamlphp.org/security/201612-04"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4127"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect persistent NameID generation in SimpleSAMLphp"
}

FKIE_CVE-2017-12873

Vulnerability from fkie_nvd - Published: 2017-09-01 21:29 - Updated: 2025-04-20 01:37

Severity ?

9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cve@mitre.org	https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953	Issue Tracking, Patch, Third Party Advisory
cve@mitre.org	https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html	Mailing List, Third Party Advisory
cve@mitre.org	https://simplesamlphp.org/security/201612-04	Patch, Vendor Advisory
cve@mitre.org	https://www.debian.org/security/2018/dsa-4127	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953	Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://simplesamlphp.org/security/201612-04	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2018/dsa-4127	Third Party Advisory

Impacted products

Vendor	Product	Version
simplesamlphp	simplesamlphp	*
debian	debian_linux	7.0
debian	debian_linux	8.0
debian	debian_linux	9.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:simplesamlphp:simplesamlphp:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1F513BAE-A775-44DF-980A-1CEA3A25CA35",
              "versionEndIncluding": "1.14.10",
              "versionStartIncluding": "1.7.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured."
    },
    {
      "lang": "es",
      "value": "SimpleSAMLphp 1.7.0 hasta la versi\u00f3n 1.14.10 permite que los atacantes obtengan informaci\u00f3n sensible, consigan acceso sin autorizaci\u00f3n o provoquen cualquier otro impacto sin especificar aprovechando la incorrecta generaci\u00f3n persistente de NameID cuando no se configura correctamente un Identity Provider (IdP)."
    }
  ],
  "id": "CVE-2017-12873",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-09-01T21:29:00.593",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://simplesamlphp.org/security/201612-04"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2018/dsa-4127"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://simplesamlphp.org/security/201612-04"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2018/dsa-4127"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-384"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2017-12873 (GCVE-0-2017-12873)

GSD-2017-12873

CNVD-2017-31287

GHSA-GP2M-7CFP-H6GF

Background

Description

Affected versions

Impact

Resolution

FKIE_CVE-2017-12873

Tags

Sightings

Nomenclature