7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-1000165

GHSA ID

GHSA-vg4f-8v9q-5c3x

EPSS Score

0.42313%

CWE

CWE-732

Published

5/13/2022

Updated

4/23/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-1000165

CVE-2018-1000165: LightSAML Incorrect Access Control vulnerability

LightSAML version prior to 1.3.5 contains a Incorrect Access Control vulnerability in signature validation in readers in src/LightSaml/Model/XmlDSig/ that can result in impersonation of any user from Identity Provider. This vulnerability appears to have been fixed in 1.3.5 and later.

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-1000165

GHSA ID

GHSA-vg4f-8v9q-5c3x

EPSS Score

0.42313%

CWE

CWE-732

Published

5/13/2022

Updated

4/23/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
lightsaml/lightsaml	composer	< 1.3.5	1.3.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The GitHub patch adds critical algorithm validation logic to castKeyIfNecessary, indicating this was the missing security control. The vulnerability description explicitly mentions signature validation flaws in XmlDSig readers, and the CWE-732 (Incorrect Permission Assignment) maps to the lack of proper algorithm restrictions. The pre-patch version would accept any algorithm type without validation, enabling potential impersonation via crafted signatures.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Li**tS*ML v*rsion prior to *.*.* *ont*ins * In*orr**t ****ss *ontrol vuln*r**ility in si*n*tur* v*li**tion in r****rs in `sr*/Li**tS*ml/Mo**l/Xml*Si*/` t**t **n r*sult in imp*rson*tion o* *ny us*r *rom I**ntity Provi**r. T*is vuln*r**ility *pp**rs to

Reasoning

T** *it*u* p*t** ***s *riti**l *l*orit*m v*li**tion lo*i* to **stK*yI*N***ss*ry, in*i**tin* t*is w*s t** missin* s**urity *ontrol. T** vuln*r**ility **s*ription *xpli*itly m*ntions si*n*tur* v*li**tion *l*ws in Xml*Si* r****rs, *n* t** *W*-*** (In*or

7.5

Basic Information

Concerned about an active attack path?

CVE-2018-1000165: LightSAML Incorrect Access Control vulnerability

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI