CVE-2017-12873

critical

Description

SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.

References

https://www.debian.org/security/2018/dsa-4127

https://simplesamlphp.org/security/201612-04

https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html

https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953

Details

Source: Mitre, NVD

Published: 2017-09-01

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical