The (deprecated) SAML 1.1 implementation would regard as valid any unsigned SAML response containing more than one signed assertion, provided that the signature of at least one of the assertions was valid, allowing an attacker that could obtain a valid signed assertion from an IdP to impersonate users from that IdP.
Created php-simplesamlphp-saml2 tracking bugs for this issue:
Affects: fedora-all [bug 1552865]
Affects: epel-all [bug 1552864]
CVE-2017-18122 (SSPSA 201710-01) is for the SimpleSAMLphp application not the php-simplesamlphp/saml2 library
Dependent bugs have been closed as not a bug. Please close this bug as well.
All dependent bugs are closed. Please close.