8.1

CVE-2018-7711

EPSS 0.21%
Veröffentlicht 05.03.2018 22:29:00
Zuletzt bearbeitet 21.11.2024 04:12:34
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

HTTPRedirect.php in the saml2 library in SimpleSAMLphp before 1.15.4 has an incorrect check of return values in the signature validation utilities, allowing an attacker to get invalid signatures accepted as valid by forcing an error during validation. This occurs because of a dependency on PHP functionality that interprets a -1 error code as a true boolean value.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Simplesamlphp ≫ Simplesamlphp Version < 1.15.4

Simplesamlphp ≫ Saml2 Version >= 1.0.0 < 1.10.6

Simplesamlphp ≫ Saml2 Version >= 2.0.0 < 2.3.8

Simplesamlphp ≫ Saml2 Version >= 3.0.0 < 3.1.4

Debian ≫ Debian Linux Version7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.21%	0.434

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://github.com/simplesamlphp/saml2/commit/4f6af7f69f29df8555a18b9bb7b646906b45924d

Patch

https://lists.debian.org/debian-lts-announce/2018/03/msg00017.html

Third Party Advisory

https://simplesamlphp.org/security/201803-01

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-7711

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-7711

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-7711

EUVD