The XmlSecLibs library as used in the saml2 library in SimpleSAMLphp before 1.15.3 incorrectly verifies signatures on SAML assertions, allowing a remote attacker to construct a crafted SAML assertion on behalf of an Identity Provider that would pass as cryptographically valid, thereby allowing them to impersonate a user from that Identity Provider, aka a key confusion issue.
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Simplesamlphp | Simplesamlphp | * | 1.15.3 (excluding) |
Simplesamlphp | Ubuntu | artful | * |
Simplesamlphp | Ubuntu | cosmic | * |
Simplesamlphp | Ubuntu | esm-apps/xenial | * |
Simplesamlphp | Ubuntu | trusty | * |
Simplesamlphp | Ubuntu | upstream | * |
Simplesamlphp | Ubuntu | xenial | * |