CVE-2016-9814

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2016-9814
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-9814.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2016-9814
Aliases
Downstream
Published
2017-02-17T02:59:14.047Z
Modified
2026-06-18T03:54:31.219680464Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
[none]
Details

The validateSignature method in the SAML2\Utils class in SimpleSAMLphp before 1.14.10 and simplesamlphp/saml2 library before 1.9.1, 1.10.x before 1.10.3, and 2.x before 2.3.3 allows remote attackers to spoof SAML responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean.

Database specific 
{
    "unresolved_ranges": [
        {
            "source": "CPE_RANGE",
            "extracted_events": [
                {
                    "last_affected": "1.9"
                }
            ],
            "vendor_product": "simplesamlphp:saml2",
            "cpes": [
                "cpe:2.3:a:simplesamlphp:saml2:*:*:*:*:*:*:*:*"
            ]
        },
        {
            "source": "CPE_RANGE",
            "extracted_events": [
                {
                    "last_affected": "1.14.9"
                }
            ],
            "vendor_product": "simplesamlphp:simplesamlphp",
            "cpes": [
                "cpe:2.3:a:simplesamlphp:simplesamlphp:*:*:*:*:*:*:*:*"
            ]
        }
    ]
}
References

Affected packages

Git
github.com/simplesamlphp/saml2

Affected ranges

Type
GIT
Repo
https://github.com/simplesamlphp/saml2
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
be2b348c46cceb311a743a33fb51035158f6f69a
Last affected
6a4b1eece19b067b17fff718176689b82dc89fb9
Last affected
6cb5cb844ba5ef9a7f98d149bdab5661d36268ed
Last affected
fbc457e774a1cd57945ca2684a2198a0984497c1
Last affected
80bc9628c03e3c0d2774488cf2f3dc3b9c2ddf5b
Last affected
089a5806bfb8a25ffae8fe1251f53c6e9fb88fb6
Last affected
d78becc975388971c3b853353072adf8e5deb841
Last affected
0d6861bc2966249702e623d325609adb2a782612
Last affected
4853f1e7f69e428afc1843d4170bbaa1038199b4
Last affected
d01b753d557917583292ba9bc64fb1b917d6ea63
Last affected
9a2ffdd7d05ec520b172c5442f4724cab8800bc7
Database specific 
{
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.9"
        },
        {
            "last_affected": "1.10"
        },
        {
            "last_affected": "1.10.1"
        },
        {
            "last_affected": "1.10.2"
        },
        {
            "last_affected": "2.0.0"
        },
        {
            "last_affected": "2.0.1"
        },
        {
            "last_affected": "2.1"
        },
        {
            "last_affected": "2.2"
        },
        {
            "last_affected": "2.3"
        },
        {
            "last_affected": "2.3.1"
        },
        {
            "last_affected": "2.3.2"
        }
    ],
    "cpe": [
        "cpe:2.3:a:simplesamlphp:saml2:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:saml2:1.10:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:saml2:1.10.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:saml2:1.10.2:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:saml2:2.0.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:saml2:2.0.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:saml2:2.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:saml2:2.2:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:saml2:2.3:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:saml2:2.3.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:saml2:2.3.2:*:*:*:*:*:*:*"
    ]
}

Affected versions

1.*
1.5.3
v0.*
v0.1.0
v0.1.0-alpha
v0.3.0
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.7.0
v0.7.1
v0.8.0
v0.8.1
v1.*
v1.0.0
v1.1.0
v1.10
v1.10.1
v1.10.2
v1.2.0
v1.3.0
v1.3.1
v1.3.2
v1.4.0
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.6.0
v1.6.1
v1.7.0
v1.7.1
v1.7.2
v1.8
v1.9
v2.*
v2.0.0
v2.0.1
v2.1
v2.2
v2.3
v2.3.1
v2.3.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-9814.json"
github.com/simplesamlphp/simplesamlphp

Affected ranges

Type
GIT
Repo
https://github.com/simplesamlphp/simplesamlphp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
247d316baf7475b3362ba5ef0f835176aca6d7fb
Last affected
5455702a4d6c3eaf47fdbc589eb3f174dda0d81b
Database specific 
{
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.14.9"
        },
        {
            "last_affected": "1.10"
        }
    ],
    "cpe": [
        "cpe:2.3:a:simplesamlphp:simplesamlphp:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:simplesamlphp:1.10:*:*:*:*:*:*:*"
    ]
}

Affected versions

simplesamlphp-1.*
simplesamlphp-1.10.0
v1.*
v1.12.0
v1.14.0
v1.14.0-rc1
v1.14.1
v1.14.2
v1.14.3
v1.14.4
v1.14.5
v1.14.6
v1.14.7
v1.14.8
v1.14.9

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-9814.json"
github.com/simplesamlphp/xml-security

Affected ranges

Type
GIT
Repo
https://github.com/simplesamlphp/xml-security
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
446cbf3aed7f4673fb7e03083ece76a468220c44
Last affected
2f478b2308b06c10542488ce9690a98baaf2fdfa
Last affected
f0fb013f5496daf050bb3cb8266874603e6349ce
Last affected
b58d5eeaa2a67bb67f92fecfed4ff6ff94caeae3
Last affected
92e7cfe64d42da5bd5f0cc4e743fd0d692adcb78
Last affected
c3a2b89855764f515089f92357e196ae6e4d6801
Last affected
161123dcdce0a31fdc34c582bf9c73aadde829ed
Last affected
ded07df15a53ee87a179e8bff79870ffea31e716
Database specific 
{
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.9"
        },
        {
            "last_affected": "1.10"
        },
        {
            "last_affected": "2.0.0"
        },
        {
            "last_affected": "2.0.1"
        },
        {
            "last_affected": "2.1"
        },
        {
            "last_affected": "2.2"
        },
        {
            "last_affected": "2.3"
        },
        {
            "last_affected": "2.3.1"
        }
    ],
    "cpe": [
        "cpe:2.3:a:simplesamlphp:saml2:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:saml2:1.10:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:saml2:2.0.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:saml2:2.0.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:saml2:2.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:saml2:2.2:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:saml2:2.3:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:saml2:2.3.1:*:*:*:*:*:*:*"
    ]
}

Affected versions

v0.*
v0.0.1
v0.0.10
v0.0.11
v0.0.2
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.3.0
v0.3.2
v0.3.3
v0.4.1
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v1.*
v1.0.0
v1.0.1
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.1.0
v1.1.1
v1.1.2
v1.10.0
v1.11.0
v1.11.1
v1.11.2
v1.12.0
v1.12.1
v1.13.0
v1.13.1
v1.13.2
v1.13.5
v1.13.6
v1.13.7
v1.2.0
v1.5.0
v1.5.1
v1.6.0
v1.6.1
v1.6.10
v1.6.11
v1.6.12
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.8.6
v1.8.7
v1.9.0
v1.9.1
v1.9.2
v1.9.3
v1.9.4
v1.9.5
v1.9.6
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.1
v2.1.2
v2.2.0
v2.3.0
v2.3.1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-9814.json"
github.com/sustainsys/saml2

Affected ranges

Type
GIT
Repo
https://github.com/sustainsys/saml2
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
af9d04f9e6ab5aabfe1b752ffe1900ffe89c5426
Last affected
f0f7cfc57eff78d5d9354aa2718c342ba684ae29
Last affected
e446404d33dbfaf72dd6cbff8b2ea6a0ecfdb2c1
Last affected
f12c8c5c0012c2d87f5a9e980dc68002ea9d0252
Database specific 
{
    "source": "CPE_STRING",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.0.0"
        },
        {
            "last_affected": "2.1"
        },
        {
            "last_affected": "2.2"
        },
        {
            "last_affected": "2.3"
        }
    ],
    "cpe": [
        "cpe:2.3:a:simplesamlphp:saml2:2.0.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:saml2:2.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:saml2:2.2:*:*:*:*:*:*:*",
        "cpe:2.3:a:simplesamlphp:saml2:2.3:*:*:*:*:*:*:*"
    ]
}

Affected versions

v0.*
v0.1.0
v0.10.0
v0.11.0
v0.12.0
v0.13.0
v0.14.0
v0.15.0
v0.15.1
v0.16.0
v0.17.0
v0.17.1
v0.17.2
v0.18.0
v0.18.1
v0.19.0
v0.2.0
v0.20.0
v0.21.0
v0.21.1
v0.21.2
v0.22.0
v0.23.0
v0.24.0
v0.3.0
v0.4.0
v0.5.0
v0.5.2
v0.6.0
v0.6.2
v0.7.0
v0.7.2
v0.8.0
v0.9.0
v1.*
v1.0.0
v2.*
v2.0.0
v2.1.0
v2.2.0
v2.3.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-9814.json"