CVE-2016-9814

The validateSignature method in the SAML2\Utils class in SimpleSAMLphp before 1.14.10 and simplesamlphp/saml2 library before 1.9.1, 1.10.x before 1.10.3, and 2.x before 2.3.3 allows remote attackers to spoof SAML responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
debianCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
VendorProductVersion
simplesamlphpsimplesamlphp
𝑥
≤ 1.14.9
simplesamlphpsimplesamlphp
1.10
simplesamlphpsaml2
𝑥
≤ 1.9
simplesamlphpsaml2
1.10
simplesamlphpsaml2
1.10.1
simplesamlphpsaml2
1.10.2
simplesamlphpsaml2
2.0.0
simplesamlphpsaml2
2.0.1
simplesamlphpsaml2
2.1
simplesamlphpsaml2
2.2
simplesamlphpsaml2
2.3
simplesamlphpsaml2
2.3.1
simplesamlphpsaml2
2.3.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
simplesamlphp
bullseye
1.19.0-1
fixed
jessie
no-dsa
sid
1.19.7-1
fixed
trixie
1.19.7-1
fixed
bookworm
1.19.7-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
simplesamlphp
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
eoan
not-affected
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
ignored
zesty
ignored
yakkety
ignored
xenial
needed
trusty
dne
precise
ignored
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/94730
https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html
https://simplesamlphp.org/security/201612-01
http://www.securityfocus.com/bid/94730
https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html
https://simplesamlphp.org/security/201612-01