Signature Validation Vulnerability in SimpleSAMLphp Library
CVE-2018-7711

8.1HIGH

Key Information:

Vendor

SimplesamlPHP

Status
SimplesamlPHP
Vendor
CVE Published:
5 March 2018

What is CVE-2018-7711?

The signature validation utilities in the SimpleSAMLphp library prior to version 1.15.4 contain a flaw in the HTTPRedirect.php file, where an improper evaluation during the signature validation process allows attackers to present invalid signatures as valid. This issue arises from a reliance on PHP behavior that misinterprets an error condition, specifically the -1 error code, as a boolean true, leading to security risks in authentication processes.

References

https://github.com/simplesamlphp/saml2/commit/4f6af7f69f2...
x_refsource_CONFIRM
https://lists.debian.org/debian-lts-announce/2018/03/msg0...
mailing-listx_refsource_MLIST
https://simplesamlphp.org/security/201803-01
x_refsource_CONFIRM

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.