CVE-2019-3465

moderate-risk

Published 2019-11-07

Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message.

Do I need to act?

1.9% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (5)

Xmlseclibs

Debian Linux

Simplesamlphp

Affected Vendors

Debian Simplesamlphp Xmlseclibs Project

References (30)

Patch https://github.com/robrichards/xmlseclibs/commit/0a53d3c3aa87564910cae4ed0141644...

Mailing List https://lists.debian.org/debian-lts-announce/2019/11/msg00003.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Issue Tracking https://seclists.org/bugtraq/2019/Nov/8

Third Party Advisory https://simplesamlphp.org/security/201911-01

Third Party Advisory https://www.debian.org/security/2019/dsa-4560

https://www.tenable.com/security/tns-2019-09

Patch https://github.com/robrichards/xmlseclibs/commit/0a53d3c3aa87564910cae4ed0141644...

Mailing List https://lists.debian.org/debian-lts-announce/2019/11/msg00003.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

and 10 more references

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 5/34 · Minimal

Exposure 12/34 · Low