CVE-2024-52806

Name of the Vulnerable Software and Affected Versions SimpleSAMLphp SAML2 library versions prior to 4.6.14 SimpleSAMLphp SAML2 library versions prior to 5.0.0-alpha.18

Description The SimpleSAMLphp SAML2 library is vulnerable to an XML External Entity (XXE) attack when loading untrusted XML documents, such as the SAMLResponse. This allows an attacker to induce an XXE, potentially leading to the reading of file contents from the local file system or internal network. The LIBXML DTDLOAD option in the $options variable, defined in the DOMDocumentFactory.php file, enables this vulnerability. An attacker can bypass the NONET option by using PHP filters, such as php://filter/convert.base64-encode/resource=http://URL or php://filter/convert.base64-encode/resource=FILE, to induce network connections and steal targeted files. Remote Code Execution (RCE) may also be possible using the php://expect or php://phar wrappers, although this has not been fully tested.

Recommendations For SimpleSAMLphp SAML2 library versions prior to 4.6.14, update to version 4.6.14 or later. For SimpleSAMLphp SAML2 library versions prior to 5.0.0-alpha.18, update to version 5.0.0-alpha.18 or later. As a temporary mitigation measure, consider removing the LIBXML DTDLOAD | LIBXML DTDATTR options from the $options variable. Additionally, check for the presence of the string <!DOCTYPE inside the XML before parsing it, although this is not a complete fix.