CVE-2024-52806: SimpleSAMLphp SAML2 has an XXE in parsing SAML messages

December 2, 2024 (updated December 13, 2024)

Summary

When loading an (untrusted) XML document, for example the SAMLResponse, it’s possible to induce an XXE.

References

github.com/advisories/GHSA-pxm4-r5ph-q2m2
github.com/simplesamlphp/saml2
github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7
github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2
nvd.nist.gov/vuln/detail/CVE-2024-52806

Detect and mitigate CVE-2024-52806 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →