<p>Upgrade <code>simplesamlphp/simplesamlphp</code> to version 1.14.15 or higher.</p>

Invalid Token Creation and Validation Affecting simplesamlphp/simplesamlphp package, versions <1.14.15

Snyk CVSS

Attack Complexity High

Integrity High

Threat Intelligence

EPSS 0.15% (51^st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PHP-SIMPLESAMLPHPSIMPLESAMLPHP-70163
published 28 Jun 2017
disclosed 28 Jun 2017
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 28 Jun 2017

CVE-2017-12867 Open this link in a new tab CWE-284 Open this link in a new tab

How to fix?

Upgrade simplesamlphp/simplesamlphp to version 1.14.15 or higher.

Overview

Affected versions of simplesamlphp/simplesamlphp are vulnerable to Invalid Token Creation and Validation.

The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset.

References

SimpleSaml Security Advosiry