VYPR
Get started
← All advisories
Critical severity9.8NVD Advisory· Published Sep 1, 2017· Updated May 13, 2026

CVE-2017-12873

CVE-2017-12873

Description

SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
simplesamlphp/simplesamlphpPackagist
>= 1.7.0, < 1.14.111.14.11

Affected products

4
  • Simplesamlphp/Simplesamlphp
    cpe:2.3:a:simplesamlphp:simplesamlphp:*:*:*:*:*:*:*:*
    Range: >=1.7.0,<=1.14.10
  • Debian/Debian Linux3 versions
    cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
    • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Patches

1
90dca8351584

bugfix: Make sure a persistent NameID is not generated by default when the UserID is missing in the state array.

https://github.com/simplesamlphp/simplesamlphpJaime PérezDec 12, 2016via ghsa
commit
1 file changed · +1 0
  • modules/saml/lib/IdP/SAML2.php+1 0 modified
    @@ -623,6 +623,7 @@ private static function generateNameIdValue(SimpleSAML_Configuration $idpMetadat
 			if ($attribute === NULL) {
 				if (!isset($state['UserID'])) {
 					SimpleSAML_Logger::error('Unable to generate NameID. Check the userid.attribute option.');
+					return NULL;
 				}
 				$attributeValue = $state['UserID'];
 				$idpEntityId = $idpMetadata->getString('entityid');

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.