PatchSiren cyber security CVE debrief

CVE-2016-9955 Debian CVE debrief

CVE-2016-9955 affects SimpleSAMLphp before 1.14.11. The issue is in the SimpleSAML_XML_Validator class constructor and stems from improper conversion of return values to boolean. According to the official descriptions, that flaw may let a remote attacker spoof signatures on SAML 1 responses or cause denial of service through memory consumption. NVD rates the issue MEDIUM with a CVSS v3.0 score of 6.3.

Vendor: Debian
Product: CVE-2016-9955
CVSS: MEDIUM 6.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-17
Original CVE updated: 2026-05-13
Advisory published: 2017-02-17
Advisory updated: 2026-05-13

Who should care

Administrators and operators running SimpleSAMLphp, especially environments that still process SAML 1 responses or rely on XML signature validation for authentication flows. Security teams responsible for identity, federation, and SSO infrastructure should prioritize review and patching.

Technical summary

The vulnerable behavior is described as an improper boolean conversion in the SimpleSAML_XML_Validator constructor in SimpleSAMLphp versions before 1.14.11. NVD says this can affect signature validation for SAML 1 responses, creating integrity risk if signatures can be spoofed, and may also lead to denial of service via memory consumption. The recorded weakness is CWE-20 (Improper Input Validation).

Defensive priority

Medium. The issue is publicly disclosed and can affect authentication integrity, but NVD assigns a medium CVSS score and the description does not indicate active exploitation in the supplied corpus.

Recommended defensive actions

Upgrade SimpleSAMLphp to version 1.14.11 or later, as identified in the NVD description and vendor advisory.
Inventory all deployments of SimpleSAMLphp, including packaged distributions, to confirm whether any instance is below 1.14.11.
Review whether any environment still depends on SAML 1 response handling and prioritize those systems for remediation.
Validate that XML signature checking and memory usage behave normally after patching, especially in authentication paths.
Track vendor and distribution guidance, including the SimpleSAMLphp security notice and Debian LTS advisory, for package-specific remediation steps.

Evidence notes

CVE published on 2017-02-17 per the supplied NVD record and modified on 2026-05-13. The official NVD description states that SimpleSAMLphp before 1.14.11 may allow signature spoofing on SAML 1 responses or denial of service via memory consumption because of improper conversion of return values to boolean in SimpleSAML_XML_Validator. The supplied references include the SimpleSAMLphp security advisory and Debian LTS announcement.

Official resources

CVE-2016-9955 CVE record
CVE.org
CVE-2016-9955 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Vendor Advisory

Publicly disclosed on 2017-02-17; the supplied NVD record was last modified on 2026-05-13.