CVE-2024-52806

EUVD-2024-3495
SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. This vulnerability is fixed in 4.6.14 and 5.0.0-alpha.18.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 33%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
simplesamlphpsaml2
𝑥
< 4.6.14
ADP
simplesamlphpsaml2
𝑥
≤ 5.0.0-alpha.1
ADP
simplesamlphpsaml2
𝑥
< 5.0.0-alpha.18
ADP
Debian logo
Debian Releases
Debian Product
Codename
simplesamlphp
bookworm
1.19.7-1+deb12u2
fixed
bookworm (security)
1.19.7-1+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
1.19.0-1+deb11u2
fixed
sid
1.19.7-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
simplesamlphp
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
oracular
ignored
plucky
needs-triage
questing
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7
https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2