High severity8.1NVD Advisory· Published Feb 2, 2018· Updated Jun 17, 2026
CVE-2017-18122
CVE-2017-18122
Description
A signature-validation bypass issue was discovered in SimpleSAMLphp through 1.14.16. A SimpleSAMLphp Service Provider using SAML 1.1 will regard as valid any unsigned SAML response containing more than one signed assertion, provided that the signature of at least one of the assertions is valid. Attributes contained in all the assertions received will be merged and the entityID of the first assertion received will be used, allowing an attacker to impersonate any user of any IdP given an assertion signed by the targeted IdP.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
simplesamlphp/simplesamlphpPackagist | < 1.14.17 | 1.14.17 |
Affected products
1Patches
Vulnerability mechanics
References
7- simplesamlphp.org/security/201710-01nvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-j4qf-3w33-8cgcghsaADVISORY
- lists.debian.org/debian-lts-announce/2018/02/msg00008.htmlnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-18122ghsaADVISORY
- www.debian.org/security/2018/dsa-4127nvdThird Party AdvisoryWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-18122.yamlghsaWEB
- github.com/simplesamlphp/simplesamlphp/commit/e2d53086abbb253efb24ddcb49b116246eb0b6caghsaWEB
News mentions
0No linked articles in our index yet.