Critical severity9.8NVD Advisory· Published Sep 1, 2017· Updated May 13, 2026
CVE-2017-12868
CVE-2017-12868
Description
The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
simplesamlphp/simplesamlphpPackagist | >= 1.14.12, < 1.14.14 | 1.14.14 |
Affected products
1Patches
14bc629658e7bbugfix: SimpleSAML\Utils\Crypto returns true for different strings using PHP < 5.6.
1 file changed · +2 −2
lib/SimpleSAML/Utils/Crypto.php+2 −2 modified@@ -404,8 +404,8 @@ public static function secureCompare($known, $user) return false; // length differs } $diff = 0; - for ($i = 0; $i < $len; ++$i) { - $diff |= $known[$i] ^ $user[$i]; + for ($i = 0; $i < $len; $i++) { + $diff |= ord($known[$i]) ^ ord($user[$i]); } // if all the bytes in $a and $b are identical, $diff should be equal to 0 return $diff === 0;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85envdIssue TrackingPatchThird Party AdvisoryWEB
- simplesamlphp.org/security/201705-01nvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-j96g-47x2-46hvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-12868ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12868.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2017/12/msg00007.htmlnvdWEB
- lists.debian.org/debian-lts-announce/2018/06/msg00017.htmlnvdWEB
News mentions
0No linked articles in our index yet.