Timing Side-Channel Attack in Htpasswd Authentication and SimpleSAMLphp Session

Timing Side-Channel Attack in Htpasswd Authentication and SimpleSAMLphp Session

CVE-2017-12872 · MEDIUM Severity

AV:N/AC:M/AU:N/C:P/I:N/A:N

The (1) Htpasswd authentication source in the authcrypt module and (2) SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow remote attackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input.

Learn more about our User Device Pen Test.