cvelistv5 - CVE-2016-9955

CVE-2016-9955 (GCVE-0-2016-9955)

Vulnerability from cvelistv5

Published

2017-02-16 18:00

Modified

2024-08-06 03:07

Severity ?

CWE

Summary

The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean.

References

URL	Tags
security@debian.org	http://www.securityfocus.com/bid/94946	Third Party Advisory, VDB Entry
security@debian.org	https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html	Third Party Advisory
security@debian.org	https://simplesamlphp.org/security/201612-02	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/94946	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://simplesamlphp.org/security/201612-02	Vendor Advisory

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T03:07:31.779Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://simplesamlphp.org/security/201612-02"
          },
          {
            "name": "94946",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/94946"
          },
          {
            "name": "[debian-lts-announce] 20180302 [SECURITY] [DLA 1297-1] simplesamlphp security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-12-12T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-03-03T10:57:01",
        "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
        "shortName": "debian"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://simplesamlphp.org/security/201612-02"
        },
        {
          "name": "94946",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/94946"
        },
        {
          "name": "[debian-lts-announce] 20180302 [SECURITY] [DLA 1297-1] simplesamlphp security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@debian.org",
          "ID": "CVE-2016-9955",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://simplesamlphp.org/security/201612-02",
              "refsource": "CONFIRM",
              "url": "https://simplesamlphp.org/security/201612-02"
            },
            {
              "name": "94946",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/94946"
            },
            {
              "name": "[debian-lts-announce] 20180302 [SECURITY] [DLA 1297-1] simplesamlphp security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
    "assignerShortName": "debian",
    "cveId": "CVE-2016-9955",
    "datePublished": "2017-02-16T18:00:00",
    "dateReserved": "2016-12-15T00:00:00",
    "dateUpdated": "2024-08-06T03:07:31.779Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2016-9955\",\"sourceIdentifier\":\"security@debian.org\",\"published\":\"2017-02-17T02:59:14.233\",\"lastModified\":\"2025-04-20T01:37:25.860\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean.\"},{\"lang\":\"es\",\"value\":\"El constructor de clase SimpleSAML_XML_Validator en SimpleSAMLphp en versiones anteriores a 1.14.11 podr\u00eda permitir a atacantes remotos suplantar firmas en respuestas SAML 1 o posiblemente provocar una denegaci\u00f3n de servicio (consumo de memoria) aprovechando la conversi\u00f3n incorrecta de valores de retorno a valores booleanos.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:N/C:N/I:P/A:P\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":4.9,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:simplesamlphp:simplesamlphp:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.14.11\",\"matchCriteriaId\":\"40A192FB-B0BF-4058-AE15-2FBD239B8E52\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"16F59A04-14CF-49E2-9973-645477EA09DA\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/94946\",\"source\":\"security@debian.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html\",\"source\":\"security@debian.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://simplesamlphp.org/security/201612-02\",\"source\":\"security@debian.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/94946\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://simplesamlphp.org/security/201612-02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

ghsa-p9cm-r7jg-8q3g

Vulnerability from github

Published

2020-01-24 21:27

Modified

2021-08-19 16:43

Severity ?

6.3 (Medium) - CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

Summary

Incorrect signature verification in SimpleSAMLphp

Details

Background

An incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation.

Description

The SimpleSAML_XML_Validator class allows the verification of the XML digital signature of a SAML 1 message with a given key. In particular, the constructor of the class receives an XML node and a key to verify it and throws an exception in case there is an error, either caused by incorrect input or an invalid signature. This method uses the verify() method from the RobRichards\XMLSecDSig class to verify the signature with the given key, which in turn will end up calling openssl_verify() depending on the signature algorithm used.

The openssl_verify() function returns 1 when the signature was successfully verified, 0 if it failed to verify with the given key and -1 in case an error occurs. PHP allows translating numerical values to boolean implicitly, with the following correspondences:

0 equals false
Non-zero equals true

This means that an implicit conversion to boolean of the values returned by openssl_verify() will convert an error state, signaled by the value -1, to successful verification of the signature (represented by the boolean true).

The aforementioned constructor was performing an implicit conversion to boolean of the values returned by the verify() method, which subsequently will return the same output as openssl_verify() under most circumstances. This means an error during signature verification is treated as a successful verification by the method.

Affected versions

All SimpleSAMLphp versions prior to 1.14.11.

Impact

Upon successful exploitation, an invalid signature would be regarded as valid by an affected version of the software. This allows attackers to modify or manually craft SAML 1 response messages and, by triggering a signature validation error in the affected party, get those messages accepted as valid and coming from a trusted entity. In practice, this means full capabilities to impersonate any individual at a given service provider.

The issue can be exploited to get other invalid messages accepted as valid, though the security implications there are minor.

In order to exploit the issue, SAML 1.1 metadata must be registered by the vulnerable Service Provider for the Identity Provider targeted by the attacker (in metadata/shib13-idp-remote.php), and an incorrect context must be fed to the signature validation routines, or an exceptional error must be triggered. So far, the following cases have been identified:

Using a DSA public key to validate an XML signature made with an RSA-related algorithm.
Using an RSA public key to validate an XML signature made with a DSA-related algorithm.
Exhausting available memory while verifying the signature.

SimpleSAMLphp does not support DSA signatures or keys. Therefore, it is not possible for an attacker to feed an incorrect context by sending a signature with an incorrect algorithm. Upon reception of a DSA-SHA1 signature, SimpleSAMLphp will refuse to perform the validation due to the algorithm not being supported. On the other hand, if an attacker manages to trick a service provider operator to change the public key associated to a certain IdP to a DSA key, signatures made with any combination of the RSA algorithm will be accepted, regardless of whether they are valid or not. This means some serious misconfiguration or social engineering is needed in this case for a successful attack.

Regarding memory exhaustion, it is in theory possible to attack a service provider causing the consumption of all available memory while a message with an invalid signature is being validated. However, memory exhaustion must happen only during signature validation and not immediately before or after. This means exploitation of this case is extremely difficult due to the small time window available for the attacker and the precise control that is needed over the service provider.

All in all, the consequences of this issue are critical, so even though we consider it difficult to exploit, and considering that other ways to trigger failures in signature validation could be possible but so far unidentified, we recommend updating the affected software as soon as possible.

Resolution

Upgrade to the latest version.

Credit

This security issue was discovered and reported on December 3, 2016 by Thijs Kinkhorst.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "simplesamlphp/simplesamlphp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.14.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-9955"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-01-24T21:21:43Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Background\nAn incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation.\n\n### Description\nThe `SimpleSAML_XML_Validator` class allows the verification of the XML digital signature of a SAML 1 message with a given key. In particular, the constructor of the class receives an XML node and a key to verify it and throws an exception in case there is an error, either caused by incorrect input or an invalid signature. This method uses the `verify()` method from the `RobRichards\\XMLSecDSig` class to verify the signature with the given key, which in turn will end up calling `openssl_verify()` depending on the signature algorithm used.\n\nThe `openssl_verify()` function returns `1` when the signature was successfully verified, `0` if it failed to verify with the given key and `-1` in case an error occurs. PHP allows translating numerical values to boolean implicitly, with the following correspondences:\n\n- `0` equals `false`\n- Non-zero equals `true`\n\nThis means that an implicit conversion to _boolean_ of the values returned by `openssl_verify()` will convert an error state, signaled by the value `-1`, to successful verification of the signature (represented by the _boolean_ `true`).\n\nThe aforementioned constructor was performing an implicit conversion to boolean of the values returned by the `verify()` method, which subsequently will return the same output as `openssl_verify()` under most circumstances. This means an error during signature verification is treated as a successful verification by the method.\n\n###  Affected versions\nAll SimpleSAMLphp versions prior to **1.14.11**.\n\n###  Impact\nUpon successful exploitation, an invalid signature would be regarded as valid by an affected version of the software. This allows attackers to modify or manually craft **SAML 1 response messages** and, by triggering a signature validation error in the affected party, get those messages accepted as valid and coming from a trusted entity. In practice, this means full capabilities to impersonate any individual at a given service provider.\n\nThe issue can be exploited to get other invalid messages accepted as valid, though the security implications there are minor.\n\nIn order to exploit the issue, **SAML 1.1 metadata must be registered by the vulnerable Service Provider for the Identity Provider targeted by the attacker** (in `metadata/shib13-idp-remote.php`), and an incorrect context must be fed to the signature validation routines, or an exceptional error must be triggered. So far, the following cases have been identified:\n\n- Using a DSA public key to validate an XML signature made with an RSA-related algorithm.\n- Using an RSA public key to validate an XML signature made with a DSA-related algorithm.\n- Exhausting available memory while verifying the signature.\n\nSimpleSAMLphp **does not support DSA signatures or keys**. Therefore, it is not possible for an attacker to feed an incorrect context by sending a signature with an incorrect algorithm. Upon reception of a DSA-SHA1 signature, SimpleSAMLphp will refuse to perform the validation due to the algorithm not being supported. On the other hand, if an attacker manages to trick a service provider operator to change the public key associated to a certain IdP to a DSA key, signatures made with any combination of the RSA algorithm will be accepted, regardless of whether they are valid or not. This means some serious misconfiguration or social engineering is needed in this case for a successful attack.\n\nRegarding memory exhaustion, it is in theory possible to attack a service provider causing the consumption of all available memory while a message with an invalid signature is being validated. However, memory exhaustion must happen only during signature validation and not immediately before or after. This means exploitation of this case is extremely difficult due to the small time window available for the attacker and the precise control that is needed over the service provider.\n\nAll in all, the consequences of this issue are critical, so even though we consider it difficult to exploit, and considering that other ways to trigger failures in signature validation could be possible but so far unidentified, we recommend updating the affected software as soon as possible.\n\n### Resolution\nUpgrade to the latest version.\n\n### Credit\nThis security issue was discovered and reported on December 3, 2016 by Thijs Kinkhorst.",
  "id": "GHSA-p9cm-r7jg-8q3g",
  "modified": "2021-08-19T16:43:43Z",
  "published": "2020-01-24T21:27:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-p9cm-r7jg-8q3g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9955"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2016-9955.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://simplesamlphp.org/security/201612-02"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/94946"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect signature verification in SimpleSAMLphp"
}

fkie_cve-2016-9955

Vulnerability from fkie_nvd

Published

2017-02-17 02:59

Modified

2025-04-20 01:37

Severity ?

6.3 (Medium) - CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

Summary

References

URL	Tags
security@debian.org	http://www.securityfocus.com/bid/94946	Third Party Advisory, VDB Entry
security@debian.org	https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html	Third Party Advisory
security@debian.org	https://simplesamlphp.org/security/201612-02	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/94946	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://simplesamlphp.org/security/201612-02	Vendor Advisory

Impacted products

	Vendor	Product	Version
	simplesamlphp	simplesamlphp	*
	debian	debian_linux	7.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:simplesamlphp:simplesamlphp:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "40A192FB-B0BF-4058-AE15-2FBD239B8E52",
              "versionEndExcluding": "1.14.11",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean."
    },
    {
      "lang": "es",
      "value": "El constructor de clase SimpleSAML_XML_Validator en SimpleSAMLphp en versiones anteriores a 1.14.11 podr\u00eda permitir a atacantes remotos suplantar firmas en respuestas SAML 1 o posiblemente provocar una denegaci\u00f3n de servicio (consumo de memoria) aprovechando la conversi\u00f3n incorrecta de valores de retorno a valores booleanos."
    }
  ],
  "id": "CVE-2016-9955",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 4.9,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-02-17T02:59:14.233",
  "references": [
    {
      "source": "security@debian.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/94946"
    },
    {
      "source": "security@debian.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html"
    },
    {
      "source": "security@debian.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://simplesamlphp.org/security/201612-02"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/94946"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://simplesamlphp.org/security/201612-02"
    }
  ],
  "sourceIdentifier": "security@debian.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

cnvd-2016-13109

Vulnerability from cnvd

Title: SimpleSAMLphp安全绕过漏洞（CNVD-2016-13109）

Description:

SimpleSAMLphp是一个实现了SAML 2.0服务提供者和标识提供者功能的PHP身份验证应用程序。

SimpleSAMLphp存在安全绕过漏洞。攻击者可以利用此问题绕过某些安全限制并执行未经授权的操作。

Severity: 中

Patch Name: SimpleSAMLphp安全绕过漏洞（CNVD-2016-13109）的补丁

Patch Description:

SimpleSAMLphp是一个实现了SAML 2.0服务提供者和标识提供者功能的PHP身份验证应用程序。

SimpleSAMLphp存在安全绕过漏洞。攻击者可以利用此问题绕过某些安全限制并执行未经授权的操作。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

用户可联系供应商获得补丁信息： https://github.com/simplesamlphp/simplesamlphp/commit/a2326d75dd14accaac162dd2cb30aaefcc1f9205

Reference: http://www.securityfocus.com/bid/94946

Impacted products

Name
SimpleSAMLphp simpleSAMLphp <=1.14.10

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "94946"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-9955"
    }
  },
  "description": "SimpleSAMLphp\u662f\u4e00\u4e2a\u5b9e\u73b0\u4e86SAML 2.0\u670d\u52a1\u63d0\u4f9b\u8005\u548c\u6807\u8bc6\u63d0\u4f9b\u8005\u529f\u80fd\u7684PHP\u8eab\u4efd\u9a8c\u8bc1\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nSimpleSAMLphp\u5b58\u5728\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\u3002 \u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6b64\u95ee\u9898\u7ed5\u8fc7\u67d0\u4e9b\u5b89\u5168\u9650\u5236\u5e76\u6267\u884c\u672a\u7ecf\u6388\u6743\u7684\u64cd\u4f5c\u3002",
  "discovererName": "Thijs Kinkhorst",
  "formalWay": "\u7528\u6237\u53ef\u8054\u7cfb\u4f9b\u5e94\u5546\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://github.com/simplesamlphp/simplesamlphp/commit/a2326d75dd14accaac162dd2cb30aaefcc1f9205",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-13109",
  "openTime": "2016-12-27",
  "patchDescription": "SimpleSAMLphp\u662f\u4e00\u4e2a\u5b9e\u73b0\u4e86SAML 2.0\u670d\u52a1\u63d0\u4f9b\u8005\u548c\u6807\u8bc6\u63d0\u4f9b\u8005\u529f\u80fd\u7684PHP\u8eab\u4efd\u9a8c\u8bc1\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nSimpleSAMLphp\u5b58\u5728\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\u3002 \u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6b64\u95ee\u9898\u7ed5\u8fc7\u67d0\u4e9b\u5b89\u5168\u9650\u5236\u5e76\u6267\u884c\u672a\u7ecf\u6388\u6743\u7684\u64cd\u4f5c\u3002 \u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SimpleSAMLphp\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff08CNVD-2016-13109\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "SimpleSAMLphp simpleSAMLphp \u003c=1.14.10"
  },
  "referenceLink": "http://www.securityfocus.com/bid/94946",
  "serverity": "\u4e2d",
  "submitTime": "2016-12-19",
  "title": "SimpleSAMLphp\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff08CNVD-2016-13109\uff09"
}

gsd-2016-9955

Vulnerability from gsd

Modified

2023-12-13 01:21

Details

Aliases

CVE-2016-9955

Aliases

CVE-2016-9955

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2016-9955",
    "description": "The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean.",
    "id": "GSD-2016-9955",
    "references": [
      "https://www.suse.com/security/cve/CVE-2016-9955.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2016-9955"
      ],
      "details": "The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean.",
      "id": "GSD-2016-9955",
      "modified": "2023-12-13T01:21:21.554836Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@debian.org",
        "ID": "CVE-2016-9955",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://simplesamlphp.org/security/201612-02",
            "refsource": "CONFIRM",
            "url": "https://simplesamlphp.org/security/201612-02"
          },
          {
            "name": "94946",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/94946"
          },
          {
            "name": "[debian-lts-announce] 20180302 [SECURITY] [DLA 1297-1] simplesamlphp security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.14.11",
          "affected_versions": "All versions before 1.14.11",
          "credit": "Thijs Kinkhorst",
          "cvss_v2": "AV:N/AC:H/Au:N/C:N/I:P/A:P",
          "cvss_v3": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-20",
            "CWE-937"
          ],
          "date": "2018-10-02",
          "description": "An incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation. get those messages accepted as valid and coming from a trusted entity. In practice, this means full capabilities to impersonate any individual at a given service provider. This vulnerability is not to be confused with the one described and related to SAML 2 messages.",
          "fixed_versions": [
            "1.14.11"
          ],
          "identifier": "CVE-2016-9955",
          "identifiers": [
            "CVE-2016-9955"
          ],
          "not_impacted": "All versions starting from 1.14.11",
          "package_slug": "packagist/simplesamlphp/simplesamlphp",
          "pubdate": "2017-02-16",
          "solution": "Upgrade to version 1.14.11 or above.",
          "title": "Incorrect signature verification of SAML 1 messages",
          "urls": [
            "https://simplesamlphp.org/security/201612-02"
          ],
          "uuid": "775542ec-f81c-4732-bcb5-fa8c7b5a1179"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:simplesamlphp:simplesamlphp:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.14.11",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@debian.org",
          "ID": "CVE-2016-9955"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://simplesamlphp.org/security/201612-02",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://simplesamlphp.org/security/201612-02"
            },
            {
              "name": "94946",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/94946"
            },
            {
              "name": "[debian-lts-announce] 20180302 [SECURITY] [DLA 1297-1] simplesamlphp security update",
              "refsource": "MLIST",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 4.9,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 1.0,
          "impactScore": 5.2
        }
      },
      "lastModifiedDate": "2018-10-02T15:52Z",
      "publishedDate": "2017-02-17T02:59Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2016-9955 (GCVE-0-2016-9955)

Vulnerability from cvelistv5

ghsa-p9cm-r7jg-8q3g

Vulnerability from github

Background

Description

Affected versions

Impact

Resolution

Credit

fkie_cve-2016-9955

Vulnerability from fkie_nvd

cnvd-2016-13109

Vulnerability from cnvd

gsd-2016-9955

Vulnerability from gsd

Tags

Sightings

Nomenclature