Main Vulnerability Database Vulnerabilities #VU38371

Session Fixation in Debian Linux - CVE-2017-12873

Published: September 1, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU38371

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2017-12873

CWE-ID: CWE-384

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Debian

Affected software:
Debian Linux

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.

How to mitigate CVE-2017-12873

Install update from vendor's website.

Sources

https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953
https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html
https://simplesamlphp.org/security/201612-04
https://www.debian.org/security/2018/dsa-4127

Session Fixation in Debian Linux - CVE-2017-12873

Detailed vulnerability description

How to mitigate CVE-2017-12873

Sources

Please verify you're human