9.8

CVE-2017-12873

SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SimplesamlphpSimplesamlphp Version >= 1.7.0 <= 1.14.10
DebianDebian Linux Version7.0
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.66% 0.735
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html
Third Party Advisory
Mailing List
https://www.debian.org/security/2018/dsa-4127
Third Party Advisory
https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953
Patch
Third Party Advisory
Issue Tracking
https://simplesamlphp.org/security/201612-04
Patch
Vendor Advisory