Vulnerability Description
The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Simplesamlphp | Simplesamlphp | < 1.14.11 |
| Debian | Debian Linux | 7.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/94946Third Party AdvisoryVDB Entry
- https://lists.debian.org/debian-lts-announce/2018/03/msg00001.htmlThird Party Advisory
- https://simplesamlphp.org/security/201612-02Vendor Advisory
- http://www.securityfocus.com/bid/94946Third Party AdvisoryVDB Entry
- https://lists.debian.org/debian-lts-announce/2018/03/msg00001.htmlThird Party Advisory
- https://simplesamlphp.org/security/201612-02Vendor Advisory
FAQ
What is CVE-2016-9955?
CVE-2016-9955 is a vulnerability with a CVSS score of 6.3 (MEDIUM). The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consum...
How severe is CVE-2016-9955?
CVE-2016-9955 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-9955?
Check the references section above for vendor advisories and patch information. Affected products include: Simplesamlphp Simplesamlphp, Debian Debian Linux.