GHSA-ppm4-r2vc-pg74: SimpleSAMLphp Information Disclosure vulnerability

May 28, 2024

The new admin interface includes a way to view information about the host where SimpleSAMLphp is installed, by means of the phpinfo() PHP function. An endpoint that exposes the output of that function is included in the admin module for easier debugging.

The aforementioned endpoint had no checks for administrator privileges. This would allow any individual to access the given endpoint without authenticating, gathering information about the affected system.

References

github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/2019-11-19.yaml
github.com/advisories/GHSA-ppm4-r2vc-pg74
github.com/simplesamlphp/simplesamlphp/commit/0e0d1f745f5491f9e848b1f3e6da198596bb8885
simplesamlphp.org/security/201911-02

Code Behaviors & Features

Detect and mitigate GHSA-ppm4-r2vc-pg74 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →