Duplicate Advisory: SimpleSAMLphp signature validation bypass

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-j4qf-3w33-8cgc. This link is maintained to preserve external references. Original Description Background SAML messages are usually signed to prove the identity of the issuer of the message. In the case of SAML...

GHSA-P9CM-R7JG-8Q3G Incorrect signature verification in SimpleSAMLphp

Background An incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation. Description The SimpleSAMLXMLValidator class allows the verification of the XML digital signature of a SAML 1...

CVE-2016-9955

The SimpleSAMLXMLValidator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service memory consumption by leveraging improper conversion of return values to boolean...

Design/Logic Flaw

The SimpleSAMLXMLValidator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service memory consumption by leveraging improper conversion of return values to boolean...

CVE-2016-9955

The SimpleSAMLXMLValidator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service memory consumption by leveraging improper conversion of return values to boolean...

CVE-2016-9955

The SimpleSAMLXMLValidator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service memory consumption by leveraging improper conversion of return values to boolean...

CVE-2016-9955

The CVE-2016-9955 issue affects SimpleSAMLphp up to version 1.14.10 via the SimpleSAML_XML_Validator constructor. Affected component: SimpleSAML_XML_Validator in SimpleSAMLphp; root cause: improper conversion of return values to boolean in signature validation, allowing an attacker to spoof signa...

Design/Logic Flaw

IBM Tivoli Federated Identity Manager TFIM 6.2.0 before 6.2.0.2 uses an incomplete SAML 1.x browser-artifact, which allows remote OpenID providers to spoof assertions via vectors related to the Issuer field...

CVE-2008-7299

IBM Tivoli Federated Identity Manager TFIM 6.2.0 before 6.2.0.2 uses an incomplete SAML 1.x browser-artifact, which allows remote OpenID providers to spoof assertions via vectors related to the Issuer field...