The XmlSecLibs library as used in the saml2 library in SimpleSAMLphp before 1.15.3 incorrectly verifies signatures on SAML assertions, allowing a remote attacker to construct a crafted SAML assertion on behalf of an Identity Provider that would pass as cryptographically valid, thereby allowing them to impersonate a user from that Identity Provider, aka a key confusion issue.
Metrics
Affected Vendors & Products
References
Link | Providers |
---|---|
https://simplesamlphp.org/security/201802-01 |
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2018-03-05T14:00:00
Updated: 2024-08-05T06:31:05.114Z
Reserved: 2018-03-02T00:00:00
Link: CVE-2018-7644
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2018-03-05T14:29:00.377
Modified: 2019-10-03T00:03:26.223
Link: CVE-2018-7644
Redhat
No data.