GHSA-pxm4-r5ph-q2m2

Source

https://github.com/advisories/GHSA-pxm4-r5ph-q2m2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-pxm4-r5ph-q2m2/GHSA-pxm4-r5ph-q2m2.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-pxm4-r5ph-q2m2

Aliases

CVE-2024-52806

Published

2024-12-02T17:25:43Z

Modified

2024-12-13T20:48:34.545091Z

Severity

8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L CVSS Calculator

Summary

SimpleSAMLphp SAML2 has an XXE in parsing SAML messages

Details

Summary

When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.

$options is defined as: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 including the DTDLoad option, which allows an attacker to read file contents from local file system OR internal network.

While there is the NONET option, an attacker can simply bypass if by using PHP filters: php://filter/convert.base64-encode/resource=http://URL OR FILE

From there an attacker can induce network connections and steal the targeted file OOB (haven't fully tested this).

RCE may be possible with the php://expect or php://phar wrappers, but this hasn't been tested.

Note: The mitigation here: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L63-L69 Comes too late, as the XML has already been loaded into a document. Mitigation:

Remove the LIBXMLDTDLOAD | LIBXMLDTDATTR options. Additionally, as a defense in depth measure, check if there is the string:

Database specific

{
    "nvd_published_at": "2024-12-02T17:15:12Z",
    "cwe_ids": [
        "CWE-611"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-02T17:25:43Z"
}

References

Affected packages

Packagist / simplesamlphp/saml2

Package

Name: simplesamlphp/saml2
Purl: pkg:composer/simplesamlphp/saml2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.6.14

Affected versions

v0.*

v0.1.0-alpha

v0.1.0

v0.3.0

v0.4.0

v0.4.1

v0.4.2

v0.5.0

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.7.0

v0.7.1

v0.8.0

v0.8.1

v1.*

v1.0.0

v1.1.0

v1.2.0

v1.3.0

v1.3.1

v1.3.2

v1.4.0

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.6.0

v1.6.1

v1.7.0

v1.7.1

v1.7.2

v1.8

v1.8.1

v1.8.2

v1.9

v1.9.1

v1.9.2

v1.10

v1.10.1

v1.10.2

v1.10.3

v1.10.4

v1.10.5

v1.10.6

v2.*

v2.0.0

v2.0.1

v2.1

v2.2

v2.3

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v3.1.4

v3.1.5

v3.1.6

v3.2

v3.2.1

v3.2.2

v3.2.3

v3.2.4

v3.2.5

v3.2.6

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.3.8

v3.3.9

v3.3.10

v3.3.11

v3.4.0

v3.4.1

v3.4.2

v3.4.3

v3.4.4

v3.4.5

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.1.0

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.1.5

v4.1.6

v4.1.7

v4.1.8

v4.1.9

v4.1.10

v4.1.11

v4.1.12

v4.2.0

v4.2.1

v4.2.2

v4.2.3

v4.2.4

v4.2.5

v4.2.6

v4.2.7

v4.2.8

v4.3.0

v4.3.1

v4.4.0

v4.4.1

v4.5.0

v4.5.1

v4.6.0

v4.6.1

v4.6.2

v4.6.3

v4.6.4

v4.6.5

v4.6.6

v4.6.7

v4.6.8

v4.6.10

v4.6.11

v4.6.12

v4.6.13

4.*

4.6.9

Packagist / simplesamlphp/saml2-legacy