CVE-2017-18122

NameCVE-2017-18122
DescriptionA signature-validation bypass issue was discovered in SimpleSAMLphp through 1.14.16. A SimpleSAMLphp Service Provider using SAML 1.1 will regard as valid any unsigned SAML response containing more than one signed assertion, provided that the signature of at least one of the assertions is valid. Attributes contained in all the assertions received will be merged and the entityID of the first assertion received will be used, allowing an attacker to impersonate any user of any IdP given an assertion signed by the targeted IdP.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1273-1, DSA-4127-1
NVD severitymedium (attack range: remote)
Debian Bugs889286

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
simplesamlphp (PTS)jessie1.13.1-2+deb8u1fixed
jessie (security)1.13.1-2+deb8u2fixed
stretch (security), stretch1.14.11-1+deb9u1fixed
buster, sid1.16.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
simplesamlphpsource(unstable)1.15.0-1medium889286
simplesamlphpsourcejessie1.13.1-2+deb8u1mediumDSA-4127-1
simplesamlphpsourcestretch1.14.11-1+deb9u1mediumDSA-4127-1
simplesamlphpsourcewheezy1.9.2-1+deb7u2mediumDLA-1273-1

Notes

https://simplesamlphp.org/security/201710-01
https://github.com/simplesamlphp/simplesamlphp/commit/e2d53086abbb253efb24ddcb49b116246eb0b6ca (v1.14.17)

Search for package or bug name: Reporting problems