The multiauth module in SimpleSAMLphp 1.14.13 and earlier allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input.
github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12869.yaml
github.com/simplesamlphp/simplesamlphp
github.com/simplesamlphp/simplesamlphp/blob/de98fc5bb663feea16686ae77958f759b4a7638d/docs/simplesamlphp-changelog-1.x.md?plain=1#L902C64-L902C79
lists.debian.org/debian-lts-announce/2017/12/msg00007.html
nvd.nist.gov/vuln/detail/CVE-2017-12869
simplesamlphp.org/security/201704-02
www.debian.org/security/2018/dsa-4127