CVSS: 5.9EPSS: 0%CPEs: 12EXPL: 0CVE-2017-12871
https://notcve.org/view.php?id=CVE-2017-12871
01 Sep 2017 — The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.x through 1.14.11 makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first 16 bytes of the secret key as the initialization vector (IV). El método aesEncrypt en lib/SimpleSAML/Utils/Crypto.php en SimpleSAMLphp 1.14.x hasta la versión 1.14.11 facilita que los atacantes dependientes del contexto omitan el mecanismo de de protección de cifrado aprovechando el uso de... • https://github.com/simplesamlphp/simplesamlphp/commit/77df6a932d46daa35e364925eb73a175010dc904 • CWE-326: Inadequate Encryption Strength •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2017-12872
https://notcve.org/view.php?id=CVE-2017-12872
01 Sep 2017 — The (1) Htpasswd authentication source in the authcrypt module and (2) SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow remote attackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input. El origen de autenticación (1) Htpasswd en el módulo authcrypt y (2) la clase SimpleSAML_Session en SimpleSAMLphp 1.14.11 y anteriores permite que atacantes remotos lleven a cabo ataques de intervalos de canal latera... • https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2017-12868
https://notcve.org/view.php?id=CVE-2017-12868
01 Sep 2017 — The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation. El método secureCompare en lib/SimpleSAML/Utils/Crypto.php en SimpleSAMLphp 1.14.13 y anteriores, al usarse con PHP en versiones anteriores a la 5.6, permite que los atacantes lleven a cabo ataques de fijación de sesión o que, ... • https://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e • CWE-384: Session Fixation •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2017-12869 – Debian Security Advisory 4127-1
https://notcve.org/view.php?id=CVE-2017-12869
01 Sep 2017 — The multiauth module in SimpleSAMLphp 1.14.13 and earlier allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input. El módulo multiauth en SimpleSAMLphp 1.14.13 y anteriores permite que atacantes remotos omitan las restricciones de contexto de autenticación y empleen un origen de autenticación definido en config/authsources.php mediante vectores relacionados en la validaci... • https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12870
https://notcve.org/view.php?id=CVE-2017-12870
01 Sep 2017 — SimpleSAMLphp 1.14.12 and earlier make it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the aesEncrypt and aesDecrypt methods in the SimpleSAML/Utils/Crypto class to protect session identifiers in replies to non-HTTPS service providers. SimpleSAMLphp 1.14.12 y anteriores hace que sea más fácil para atacantes Man-in-the-Middle (MitM) obtener información sensible mediante el aprovechamiento de los métodos aesEncrypt y aesDecrypt en la clase SimpleSAML/Utils/Crypto... • https://simplesamlphp.org/security/201704-01 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12867 – Debian Security Advisory 4127-1
https://notcve.org/view.php?id=CVE-2017-12867
29 Aug 2017 — The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset. La clase SimpleSAML_Auth_TimeLimitedToken en SimpleSAMLphp 1.14.14 y anteriores permite que atacantes con acceso a un token secreto extiendan su periodo de validez manipulando el offset de tiempo antepuesto. Several vulnerabilities have been discovered in SimpleSAMLphp, a framework for authentication, primarily... • https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html • CWE-613: Insufficient Session Expiration •