#VU38369 Inadequate Encryption Strength in SimpleSAMLphp - CVE-2017-12871
Published: September 1, 2017 / Updated: August 8, 2020
Vulnerability identifier: #VU38369
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-12871
CWE-ID: CWE-326
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
SimpleSAMLphp
SimpleSAMLphp
Software vendor:
SimpleSAMLphp
SimpleSAMLphp
Description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.x through 1.14.11 makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first 16 bytes of the secret key as the initialization vector (IV).
Remediation
Install update from vendor's website.