{"api_version":"1","generated_at":"2026-04-27T16:51:01+00:00","cve":"CVE-2017-12873","urls":{"html":"https://cve.report/CVE-2017-12873","api":"https://cve.report/api/cve/CVE-2017-12873.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-12873","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-12873"},"summary":{"title":"CVE-2017-12873","description":"SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2017-09-01 21:29:00","updated_at":"2019-10-03 00:03:00"},"problem_types":["CWE-384"],"metrics":[],"references":[{"url":"https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953","name":"https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953","refsource":"CONFIRM","tags":["Issue Tracking","Patch","Third Party Advisory"],"title":"bugfix: Make sure a persistent NameID is not generated by default whe… · simplesamlphp/simplesamlphp@90dca83 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2018/dsa-4127","name":"DSA-4127","refsource":"DEBIAN","tags":["Third Party Advisory"],"title":"Debian -- Security Information -- DSA-4127-1 simplesamlphp","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html","name":"[debian-lts-announce] 20171212 [SECURITY] [DLA 1205-1] simplesamlphp security update","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] [DLA 1205-1] simplesamlphp security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://simplesamlphp.org/security/201612-04","name":"https://simplesamlphp.org/security/201612-04","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"SimpleSAMLphp","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-12873","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12873","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"12873","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12873","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12873","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12873","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12873","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12873","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12873","vulnerable":"1","versionEndIncluding":"1.14.10","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"simplesamlphp","cpe5":"simplesamlphp","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2017-12873","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953","refsource":"CONFIRM","url":"https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953"},{"name":"[debian-lts-announce] 20171212 [SECURITY] [DLA 1205-1] simplesamlphp security update","refsource":"MLIST","url":"https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html"},{"name":"https://simplesamlphp.org/security/201612-04","refsource":"CONFIRM","url":"https://simplesamlphp.org/security/201612-04"},{"name":"DSA-4127","refsource":"DEBIAN","url":"https://www.debian.org/security/2018/dsa-4127"}]}},"nvd":{"publishedDate":"2017-09-01 21:29:00","lastModifiedDate":"2019-10-03 00:03:00","problem_types":["CWE-384"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:simplesamlphp:simplesamlphp:*:*:*:*:*:*:*:*","versionStartIncluding":"1.7.0","versionEndIncluding":"1.14.10","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"12873","Ordinal":"110024","Title":"CVE-2017-12873","CVE":"CVE-2017-12873","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"12873","Ordinal":"1","NoteData":"SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.","Type":"Description","Title":null},{"CveYear":"2017","CveId":"12873","Ordinal":"2","NoteData":"2017-09-01","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"12873","Ordinal":"3","NoteData":"2018-03-03","Type":"Other","Title":"Modified"}]}}}