CVSS: 5.9EPSS: 0%CPEs: 12EXPL: 0CVE-2017-12871
https://notcve.org/view.php?id=CVE-2017-12871
01 Sep 2017 — The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.x through 1.14.11 makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first 16 bytes of the secret key as the initialization vector (IV). El método aesEncrypt en lib/SimpleSAML/Utils/Crypto.php en SimpleSAMLphp 1.14.x hasta la versión 1.14.11 facilita que los atacantes dependientes del contexto omitan el mecanismo de de protección de cifrado aprovechando el uso de... • https://github.com/simplesamlphp/simplesamlphp/commit/77df6a932d46daa35e364925eb73a175010dc904 • CWE-326: Inadequate Encryption Strength •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2017-12872
https://notcve.org/view.php?id=CVE-2017-12872
01 Sep 2017 — The (1) Htpasswd authentication source in the authcrypt module and (2) SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow remote attackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input. El origen de autenticación (1) Htpasswd en el módulo authcrypt y (2) la clase SimpleSAML_Session en SimpleSAMLphp 1.14.11 y anteriores permite que atacantes remotos lleven a cabo ataques de intervalos de canal latera... • https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2017-12873 – Debian Security Advisory 4127-1
https://notcve.org/view.php?id=CVE-2017-12873
01 Sep 2017 — SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured. SimpleSAMLphp 1.7.0 hasta la versión 1.14.10 permite que los atacantes obtengan información sensible, consigan acceso sin autorización o provoquen cualquier otro impacto sin especificar aprovechando la incorrecta generación persistente de NameID cuando no se... • https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953 • CWE-384: Session Fixation •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2017-12868
https://notcve.org/view.php?id=CVE-2017-12868
01 Sep 2017 — The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation. El método secureCompare en lib/SimpleSAML/Utils/Crypto.php en SimpleSAMLphp 1.14.13 y anteriores, al usarse con PHP en versiones anteriores a la 5.6, permite que los atacantes lleven a cabo ataques de fijación de sesión o que, ... • https://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e • CWE-384: Session Fixation •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2017-12869 – Debian Security Advisory 4127-1
https://notcve.org/view.php?id=CVE-2017-12869
01 Sep 2017 — The multiauth module in SimpleSAMLphp 1.14.13 and earlier allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input. El módulo multiauth en SimpleSAMLphp 1.14.13 y anteriores permite que atacantes remotos omitan las restricciones de contexto de autenticación y empleen un origen de autenticación definido en config/authsources.php mediante vectores relacionados en la validaci... • https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12870
https://notcve.org/view.php?id=CVE-2017-12870
01 Sep 2017 — SimpleSAMLphp 1.14.12 and earlier make it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the aesEncrypt and aesDecrypt methods in the SimpleSAML/Utils/Crypto class to protect session identifiers in replies to non-HTTPS service providers. SimpleSAMLphp 1.14.12 y anteriores hace que sea más fácil para atacantes Man-in-the-Middle (MitM) obtener información sensible mediante el aprovechamiento de los métodos aesEncrypt y aesDecrypt en la clase SimpleSAML/Utils/Crypto... • https://simplesamlphp.org/security/201704-01 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12867 – Debian Security Advisory 4127-1
https://notcve.org/view.php?id=CVE-2017-12867
29 Aug 2017 — The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset. La clase SimpleSAML_Auth_TimeLimitedToken en SimpleSAMLphp 1.14.14 y anteriores permite que atacantes con acceso a un token secreto extiendan su periodo de validez manipulando el offset de tiempo antepuesto. Several vulnerabilities have been discovered in SimpleSAMLphp, a framework for authentication, primarily... • https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html • CWE-613: Insufficient Session Expiration •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2016-9955
https://notcve.org/view.php?id=CVE-2016-9955
16 Feb 2017 — The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean. El constructor de clase SimpleSAML_XML_Validator en SimpleSAMLphp en versiones anteriores a 1.14.11 podría permitir a atacantes remotos suplantar firmas en respuestas SAML 1 o posiblemente provocar una denegación de servicio (consumo de memor... • http://www.securityfocus.com/bid/94946 • CWE-20: Improper Input Validation •