VDB
CVE-2017-12868
CVE-2017-12868
PUBLISHED
The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.
EPSS 0.76% · 73.8th percentile
Risk Scores
EPSS Score
0.76%
73.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | simplesamlphp | 1.13.2-1, 1.14.0-1, 1.14.0-1ubuntu2 |
Exploit Intelligence
- https://simplesamlphp.org/security/201705-01 (circl)
- [debian-lts-announce] 20171212 [SECURITY] [DLA 1205-1] simplesamlphp security update (circl)
- https://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e (circl)
- [debian-lts-announce] 20180629 [SECURITY] [DLA 1408-1] simplesamlphp security update (circl)
Timeline
- Sep 1, 2017 CVE Published
- Jul 1, 2018 CVE Updated
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- May 2, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2017-12868 third-party-advisory
- https://simplesamlphp.org/security/201705-01 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2017-12868 third-party-advisory