{"id":"CVE-2016-9814","details":"The validateSignature method in the SAML2\\Utils class in SimpleSAMLphp before 1.14.10 and simplesamlphp/saml2 library before 1.9.1, 1.10.x before 1.10.3, and 2.x before 2.3.3 allows remote attackers to spoof SAML responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean.","aliases":["GHSA-r8v4-7vwj-983x"],"modified":"2026-03-14T09:23:35.611213Z","published":"2017-02-17T02:59:14.047Z","references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/94730"},{"type":"ADVISORY","url":"https://simplesamlphp.org/security/201612-01"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/simplesamlphp/saml2","events":[{"introduced":"0"},{"last_affected":"6cb5cb844ba5ef9a7f98d149bdab5661d36268ed"},{"introduced":"0"},{"last_affected":"fbc457e774a1cd57945ca2684a2198a0984497c1"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.10.1"},{"introduced":"0"},{"last_affected":"1.10.2"}]}},{"type":"GIT","repo":"https://github.com/simplesamlphp/simplesamlphp","events":[{"introduced":"0"},{"last_affected":"247d316baf7475b3362ba5ef0f835176aca6d7fb"},{"introduced":"0"},{"last_affected":"5455702a4d6c3eaf47fdbc589eb3f174dda0d81b"},{"introduced":"0"},{"last_affected":"28cedec34aada6fd6889b8c72b2a3ca047556e85"},{"introduced":"0"},{"last_affected":"5455702a4d6c3eaf47fdbc589eb3f174dda0d81b"},{"introduced":"0"},{"last_affected":"3fad70092c503d0ef02fe395ef24ab5d5d836f51"},{"introduced":"0"},{"last_affected":"3195076c3c8cd159651db3bdfb4de8d58d8f2a77"},{"introduced":"0"},{"last_affected":"567e3350ae4a363305187984217381a65d57bdb3"},{"introduced":"0"},{"last_affected":"62005d76c684233649c2187d21d73fdbfdf4795a"},{"introduced":"0"},{"last_affected":"74c4130659d1574f44aa2606090a8d87ffc95ebb"},{"introduced":"0"},{"last_affected":"c02bb1f2ec5d81be4827399b5789c14496e179e5"},{"introduced":"0"},{"last_affected":"1ee347667046b8d9d633188dd7e4fd7e800bdf14"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.14.9"},{"introduced":"0"},{"last_affected":"1.10"},{"introduced":"0"},{"last_affected":"1.9"},{"introduced":"0"},{"last_affected":"1.10"},{"introduced":"0"},{"last_affected":"2.0.0"},{"introduced":"0"},{"last_affected":"2.0.1"},{"introduced":"0"},{"last_affected":"2.1"},{"introduced":"0"},{"last_affected":"2.2"},{"introduced":"0"},{"last_affected":"2.3"},{"introduced":"0"},{"last_affected":"2.3.1"},{"introduced":"0"},{"last_affected":"2.3.2"}]}}],"versions":["1.5.3","v0.1.0","v0.1.0-alpha","v0.3.0","v0.4.0","v0.4.1","v0.4.2","v0.5.0","v0.6.0","v0.6.1","v0.6.2","v0.6.3","v0.6.4","v0.7.0","v0.7.1","v0.8.0","v0.8.1","v1.0.0","v1.1.0","v1.10","v1.10.1","v1.12.0","v1.14.0","v1.14.0-rc1","v1.14.1","v1.14.2","v1.14.3","v1.14.4","v1.14.5","v1.14.6","v1.14.7","v1.14.8","v1.14.9","v1.15.0-rc1","v1.2.0","v1.3.0","v1.3.1","v1.3.2","v1.4.0","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.5.4","v1.6.0","v1.6.1","v1.7.0","v1.7.1","v1.7.2","v1.8","v1.9","v2.0.0","v2.0.0-beta.1","v2.0.0-beta.11","v2.0.0-beta.2","v2.0.0-beta.3","v2.0.0-beta.4","v2.0.0-rc1","v2.0.0-rc2","v2.0.0-rc3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9814.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}]}