CVE-2018-7711
Summary
| CVE | CVE-2018-7711 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-03-05 22:29:00 UTC |
| Updated | 2018-03-29 15:24:00 UTC |
| Description | HTTPRedirect.php in the saml2 library in SimpleSAMLphp before 1.15.4 has an incorrect check of return values in the signature validation utilities, allowing an attacker to get invalid signatures accepted as valid by forcing an error during validation. This occurs because of a dependency on PHP functionality that interprets a -1 error code as a true boolean value. |
Risk And Classification
Problem Types: CWE-347
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 7.0 | All | All | All |
| Operating System | Debian | Debian Linux | 7.0 | All | All | All |
| Application | Simplesamlphp | Saml2 | All | All | All | All |
| Application | Simplesamlphp | Saml2 | All | All | All | All |
| Application | Simplesamlphp | Simplesamlphp | All | All | All | All |
| Application | Simplesamlphp | Simplesamlphp | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Be strict when checking return values. · simplesamlphp/saml2@4f6af7f · GitHub | CONFIRM | github.com | Patch |
| [SECURITY] [DLA 1314-1] simplesamlphp security update | MLIST | lists.debian.org | Third Party Advisory |
| SimpleSAMLphp | CONFIRM | simplesamlphp.org | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.