Timing Side-Channel Vulnerability in SimpleSAMLphp Authcrypt Module
CVE-2017-12872

5.9MEDIUM

Key Information:

Vendor

SimplesamlPHP

Status
SimplesamlPHP
Vendor
CVE Published:
1 September 2017

What is CVE-2017-12872?

The Htpasswd authentication source in the authcrypt module and the SimpleSAML_Session class in SimpleSAMLphp versions up to 1.14.11 are susceptible to timing side-channel attacks. Attackers can exploit this vulnerability by using the standard comparison operator to make comparisons between secret information and user input, potentially allowing unauthorized access to sensitive authentication data.

References

https://simplesamlphp.org/security/201703-01
x_refsource_CONFIRM
https://lists.debian.org/debian-lts-announce/2017/12/msg0...
mailing-listx_refsource_MLIST
https://lists.debian.org/debian-lts-announce/2018/06/msg0...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.