CVE-2019-3465

NameCVE-2019-3465
DescriptionRob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1983-1, DSA-4560-1
Debian Bugs944107

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
simplesamlphp (PTS)bullseye1.19.0-1fixed
sid, trixie, bookworm1.19.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
simplesamlphpsourcejessie1.13.1-2+deb8u3DLA-1983-1
simplesamlphpsourcestretch1.14.11-1+deb9u2DSA-4560-1
simplesamlphpsourcebuster1.16.3-1+deb10u1DSA-4560-1
simplesamlphpsource(unstable)1.17.6-2944107

Notes

https://groups.google.com/forum/#!msg/simplesamlphp-announce/2odMqz63z7k/6zQQeM91EwAJ
https://simplesamlphp.org/security/201911-01
Search for package or bug name: Reporting problems