{"url":"http://public2.vulnerablecode.io/api/packages/54043?format=json","purl":"pkg:composer/simplesamlphp/simplesamlphp@1.14.13","type":"composer","namespace":"simplesamlphp","name":"simplesamlphp","version":"1.14.13","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.14.17","latest_non_vulnerable_version":"1.17.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38797?format=json","vulnerability_id":"VCID-va8h-3qxg-uqh2","summary":"Session fixation issue and authentication bypass\nThe `secureCompare` method in `lib/SimpleSAML/Utils/Crypto` when used with PHP, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.","references":[{"reference_url":"https://simplesamlphp.org/security/201705-01","reference_id":"","reference_type":"","scores":[],"url":"https://simplesamlphp.org/security/201705-01"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12868","reference_id":"CVE-2017-12868","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12868"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54012?format=json","purl":"pkg:composer/simplesamlphp/simplesamlphp@1.14.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gwtm-bdae-3ufj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.14"}],"aliases":["CVE-2017-12868"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-va8h-3qxg-uqh2"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38796?format=json","vulnerability_id":"VCID-dvwj-zd42-nbhe","summary":"Information Exposure\nSimpleSAMLphp makes it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the `aesEncrypt` and `aesDecrypt` methods in the `SimpleSAML/Utils/Crypto` class to protect session identifiers in replies to non-HTTPS service providers.","references":[{"reference_url":"https://simplesamlphp.org/security/201704-01","reference_id":"","reference_type":"","scores":[],"url":"https://simplesamlphp.org/security/201704-01"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12870","reference_id":"CVE-2017-12870","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12870"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54043?format=json","purl":"pkg:composer/simplesamlphp/simplesamlphp@1.14.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-va8h-3qxg-uqh2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.13"}],"aliases":["CVE-2017-12870"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dvwj-zd42-nbhe"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.13"}