VYPR
← All advisories
High severityNVD Advisory· Published Mar 5, 2018· Updated Aug 5, 2024

CVE-2018-7711

CVE-2018-7711

Description

SimpleSAMLphp saml2 library before 1.15.4 incorrectly treats -1 error from openssl_verify as true, allowing forged signatures to be accepted.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SimpleSAMLphp saml2 library before 1.15.4 incorrectly treats -1 error from openssl_verify as true, allowing forged signatures to be accepted.

Vulnerability

HTTPRedirect.php in the saml2 library of SimpleSAMLphp before version 1.15.4 performs an incorrect check of return values from signature validation utilities. The validateSignature() method calls verifySignature() on the XMLSecurityKey class, which eventually invokes PHP's openssl_verify() function. This function returns 1 on success, 0 on failure, and -1 on error. Due to implicit boolean conversion in PHP, a return value of -1 is interpreted as true, causing an error during signature validation to be treated as a successful verification. This affects all simplesamlphp/saml2 versions up to and including 1.10.5, 2.3.7, 3.1.3, and all SimpleSAMLphp versions up to and including 1.15.3 [1][2][3].

Exploitation

An attacker must be able to craft or modify a SAML 2 message and cause a signature validation error on the affected party's system. This could be achieved by sending a malformed signature, using a mismatched key, or other methods that trigger the -1 return from openssl_verify(). The attacker does not need authentication or special privileges; they only need network access to deliver the malicious SAML message. The vulnerability lies in the boolean check !$key->verifySignature($query, $signature) which fails when the function returns -1 (treated as true) [2][4].

Impact

Successful exploitation allows an attacker to make invalid digital signatures appear valid. This means the attacker can forge or modify SAML 2 messages (e.g., authentication assertions or attribute statements) and have them accepted as coming from a trusted identity provider. In practice, this can lead to unauthorized access to systems relying on SAML for authentication, potential privilege escalation, and other security breaches depending on the context of the SAML usage [1][2].

Mitigation

The vulnerability is fixed in SimpleSAMLphp version 1.15.4, released on 2018-03-05. The fix changes the comparison in HTTPRedirect.php from !$key->verifySignature(...) to $key->verifySignature(...) !== 1, ensuring that only a successful verification (return value 1) is accepted [4]. Users must upgrade to version 1.15.4 or later. No workaround is available for earlier versions. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1][2][4].

References
  1. NVD - CVE-2018-7711
  2. SSPSA 201803-01: Incorrect signature verification
  3. security-advisories/simplesamlphp/saml2/CVE-2018-7711.yaml at master · FriendsOfPHP/security-advisories
  4. Be strict when checking return values. · simplesamlphp/saml2@4f6af7f

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
simplesamlphp/saml2Packagist
< 1.10.61.10.6
simplesamlphp/saml2Packagist
>= 2.0, < 2.3.82.3.8
simplesamlphp/saml2Packagist
>= 3.0, < 3.1.43.1.4

Affected products

1

Patches

1
4f6af7f69f29

Be strict when checking return values.

https://github.com/simplesamlphp/saml2Jaime Pérez CrespoMar 2, 2018via ghsa
commit
1 file changed · +1 1
  • src/SAML2/HTTPRedirect.php+1 1 modified
    @@ -226,7 +226,7 @@ public static function validateSignature(array $data, XMLSecurityKey $key)
             $key = Utils::castKey($key, $sigAlg);
         }
 
-        if (!$key->verifySignature($query, $signature)) {
+        if ($key->verifySignature($query, $signature) !== 1) {
             throw new \Exception('Unable to validate signature on query string.');
         }
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.