The SAML2 library before 1.10.4, 2.x before 2.3.5, and 3.x before 3.1.1 in SimpleSAMLphp has a Regular Expression Denial of Service vulnerability for fraction-of-seconds data in a timestamp.
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Saml2 | Simplesamlphp | 1.0.0 (including) | 1.10.4 (excluding) |
| Saml2 | Simplesamlphp | 2.0.0 (including) | 2.3.5 (excluding) |
| Saml2 | Simplesamlphp | 3.0.0 (including) | 3.1.1 (excluding) |
| Simplesamlphp | Ubuntu | artful | * |
| Simplesamlphp | Ubuntu | esm-apps/xenial | * |
| Simplesamlphp | Ubuntu | trusty | * |
| Simplesamlphp | Ubuntu | upstream | * |
| Simplesamlphp | Ubuntu | xenial | * |