GHSA-j5g2-q29x-cw3h: SimpleSAMLphp vulnerable to XXE in parsing SAML messages

December 2, 2024 (updated December 4, 2024)

When loading an (untrusted) XML document, for example the SAMLResponse, it’s possible to induce an XXE.

References

github.com/advisories/GHSA-j5g2-q29x-cw3h
github.com/simplesamlphp/simplesamlphp
github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-j5g2-q29x-cw3h
github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm
nvd.nist.gov/vuln/detail/CVE-2024-52596

Code Behaviors & Features

Detect and mitigate GHSA-j5g2-q29x-cw3h with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →