Candidate: CVE-2019-3465
PublicDate: 2019-11-07 20:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3465
 https://groups.google.com/forum/#!msg/simplesamlphp-announce/2odMqz63z7k/6zQQeM91EwAJ
Description:
 Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example
 by SimpleSAMLphp, performed incorrect validation of cryptographic
 signatures in XML messages, allowing an authenticated attacker to
 impersonate others or elevate privileges by creating a crafted XML message.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944107
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8 HIGH]


Patches_simplesamlphp:
upstream_simplesamlphp: needs-triage
precise/esm_simplesamlphp: DNE
trusty_simplesamlphp: ignored (out of standard support)
trusty/esm_simplesamlphp: DNE
xenial_simplesamlphp: ignored (end of standard support, was needs-triage)
bionic_simplesamlphp: needs-triage
disco_simplesamlphp: ignored (reached end-of-life)
eoan_simplesamlphp: ignored (reached end-of-life)
focal_simplesamlphp: not-affected (1.17.6-2)
groovy_simplesamlphp: not-affected (1.17.6-2)
hirsute_simplesamlphp: not-affected (1.17.6-2)
impish_simplesamlphp: not-affected (1.17.6-2)
jammy_simplesamlphp: not-affected (1.17.6-2)
devel_simplesamlphp: not-affected (1.17.6-2)