Advisory Database
  • Advisories
  • Dependency Scanning
  1. composer
  2. ›
  3. simplesamlphp/simplesamlphp
  4. ›
  5. GHSA-ppm4-r2vc-pg74

GHSA-ppm4-r2vc-pg74: SimpleSAMLphp Information Disclosure vulnerability

May 28, 2024

The new admin interface includes a way to view information about the host where SimpleSAMLphp is installed, by means of the phpinfo() PHP function. An endpoint that exposes the output of that function is included in the admin module for easier debugging.

The aforementioned endpoint had no checks for administrator privileges. This would allow any individual to access the given endpoint without authenticating, gathering information about the affected system.

References

  • github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/2019-11-19.yaml
  • github.com/advisories/GHSA-ppm4-r2vc-pg74
  • github.com/simplesamlphp/simplesamlphp/commit/0e0d1f745f5491f9e848b1f3e6da198596bb8885
  • simplesamlphp.org/security/201911-02

Code Behaviors & Features

Detect and mitigate GHSA-ppm4-r2vc-pg74 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 1.17.0 before 1.17.8

Fixed versions

  • 1.17.8

Solution

Upgrade to version 1.17.8 or above.

Impact 5.9 MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Learn more about CVSS

Weakness

  • CWE-862: Missing Authorization

Source file

packagist/simplesamlphp/simplesamlphp/GHSA-ppm4-r2vc-pg74.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:14:42 +0000.