Name of the Vulnerable Software and Affected Versions SimpleSAMLphp versions 1.17 up to 1.17.7

Description The issue concerns an endpoint in the admin module of SimpleSAMLphp that exposes the output of the phpinfo() PHP function, allowing any individual to access it without authenticating and gather information about the affected system. This could be used to gather intelligence about the host where SimpleSAMLphp is deployed. The impact is deemed low because the new user interface and admin module must be explicitly enabled.

Recommendations For SimpleSAMLphp versions 1.17 up to 1.17.7, upgrade to SimpleSAMLphp 1.17.8 or 1.18. Alternatively, mitigate the issue by disabling the new user interface by setting the usenewui configuration option to false. As another alternative, disable the admin module in the configuration by setting 'admin' => false in the module.enable section.