CVE-2017-12871: Incorrect IV generation for encryption

September 1, 2017 (updated September 6, 2017)

The aesEncrypt method in lib/SimpleSAML/Utils/Crypto makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first bytes of the secret key as the initialization vector (IV).

References

nvd.nist.gov/vuln/detail/CVE-2017-12871
simplesamlphp.org/security/201703-02

Code Behaviors & Features

Detect and mitigate CVE-2017-12871 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →