Signature-Validation Bypass in SimpleSAMLphp by SimpleSAMLphp
CVE-2017-18122

8.1HIGH

Key Information:

Vendor

SimplesamlPHP

Status
SimplesamlPHP
Vendor
CVE Published:
2 February 2018

What is CVE-2017-18122?

A signature-validation bypass vulnerability exists in SimpleSAMLphp versions up to 1.14.16. When using SAML 1.1, this flaw allows a malicious actor to bypass proper signature validation for unsigned SAML responses. If a SAML response includes multiple signed assertions, only one valid signature is necessary for the response to be deemed legitimate. As a result, an attacker can impersonate any user from any Identity Provider (IdP) when presented with a single valid assertion. This poses significant security risks, as attributes from all received assertions are merged, and the entityID taken from the first assertion can lead to unauthorized access.

References

https://lists.debian.org/debian-lts-announce/2018/02/msg0...
mailing-listx_refsource_MLIST
https://www.debian.org/security/2018/dsa-4127
vendor-advisoryx_refsource_DEBIAN
https://simplesamlphp.org/security/201710-01
x_refsource_CONFIRM

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.