CVE-2018-7644
Last modified
CVE-2018-7644 is a vulnerability of currently unknown severity. The XmlSecLibs library as used in the saml2 library in SimpleSAMLphp before 1.15.3 incorrectly verifies signatures on SAML assertions, allowing a remote attacker to construct a crafted SAML assertion on behalf of an Identity Provider that would pass as cryptographically valid, thereby allowing them to impersonate a user from that Identity Provider, aka a key confusion issue.. EPSS estimates a 1.26% chance of exploitation in the next 30 days.
Description
The XmlSecLibs library as used in the saml2 library in SimpleSAMLphp before 1.15.3 incorrectly verifies signatures on SAML assertions, allowing a remote attacker to construct a crafted SAML assertion on behalf of an Identity Provider that would pass as cryptographically valid, thereby allowing them to impersonate a user from that Identity Provider, aka a key confusion issue.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Simplesamlphp | Simplesamlphp | < 1.15.3 |
References
- https://simplesamlphp.org/security/201802-01Vendor Advisory
- https://simplesamlphp.org/security/201802-01Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-7644?
How severe is CVE-2018-7644?
How do I fix CVE-2018-7644?
Are you affected by CVE-2018-7644?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST