VYPR
High severity8.1NVD Advisory· Published Feb 2, 2018· Updated Jun 17, 2026

CVE-2017-18122

CVE-2017-18122

Description

A signature-validation bypass issue was discovered in SimpleSAMLphp through 1.14.16. A SimpleSAMLphp Service Provider using SAML 1.1 will regard as valid any unsigned SAML response containing more than one signed assertion, provided that the signature of at least one of the assertions is valid. Attributes contained in all the assertions received will be merged and the entityID of the first assertion received will be used, allowing an attacker to impersonate any user of any IdP given an assertion signed by the targeted IdP.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
simplesamlphp/simplesamlphpPackagist
< 1.14.171.14.17

Affected products

1

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.