CVE-2024-52596

EUVD-2024-3414
SimpleSAMLphp xml-common is a common classes for handling XML-structures. When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. This vulnerability is fixed in 1.19.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 34%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
simplesamlphpxml-common
𝑥
< 1.20.0
ADP
Debian logo
Debian Releases
Debian Product
Codename
simplesamlphp
bookworm
1.19.7-1+deb12u2
fixed
bookworm (security)
1.19.7-1+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
1.19.0-1+deb11u2
fixed
sid
1.19.7-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
simplesamlphp
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
oracular
ignored
plucky
needs-triage
questing
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5
https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm
https://lists.debian.org/debian-lts-announce/2024/12/msg00001.html