Fixed XXE vulnerability in SAML2 library
CVE-2024-52806

8.3HIGH

Key Information:

Vendor: SimplesamlPHP
Status: Saml2
Vendor: CVE Published:; 2 December 2024

🔔 Create SimplesamlPHP Vulnerability Alert

What is CVE-2024-52806?

The SimpleSAMLphp SAML2 library, which provides SAML2 related functionality, is susceptible to an XML External Entity (XXE) attack when processing untrusted XML documents, such as those associated with SAMLResponse. This vulnerability highlights the risk of improper handling of XML input, potentially allowing an attacker to read sensitive files or perform other unauthorized actions. The issue affects versions prior to 4.6.14 and 5.0.0-alpha.18, which include fixes that mitigate the vulnerability.

Affected Version(s)

saml2 < 4.6.14 < 4.6.14

saml2 >= 5.0.0-alpha.1, < 5.0.0-alpha.18 < 5.0.0-alpha.1, 5.0.0-alpha.18

References

https://github.com/simplesamlphp/saml2/security/advisorie...

x_refsource_CONFIRM

https://github.com/simplesamlphp/saml2/commit/5fd4ce45966...

x_refsource_MISC

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 2, 2024
Vulnerability Reserved
Nov 15, 2024

CVE-2024-52806 Data

JSON