Base Score

MEDIUM6.3

CVE-2016-9955

The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean.

VectorLOCAL

Published Bysecurity@debian.org

Published DateFeb 17, 2017, 02:59

Affected Versions(1)

simplesamlphp/simplesamlphp(Packagist)

Introduced0

Fixed1.14.11

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
simplesamlphp/simplesamlphp(Packagist)	0	1.14.11	N/A

Weakness Type (CWE):CWE-20

CVSS Metrics

Base Score

6.3

Vector String

CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

Base Severity

MEDIUM

Version

3.0

Attack Vector (AV)

LOCAL

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

HIGH

Availability (A)

HIGH

References

Base Score

MEDIUM6.3

Weakness Type (CWE):CWE-20

CVSS Metrics

Base Score

6.3

Vector String

CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

Base Severity

MEDIUM

Version

3.0

Attack Vector (AV)

LOCAL

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

HIGH

Availability (A)

HIGH