XXE

High

tvdijen published GHSA-2x65-fpch-2fcm

Dec 1, 2024

Package

simplesamlphp/saml2 (Composer)

Affected versions

<4.6.14

Patched versions

4.6.14

simplesamlphp/saml2-legacy (Composer)

<4.6.14

4.6.14

simplesamlphp/xml-common (Composer)

<1.20

1.20.0

simplesamlphp/xml-security (Composer)

<1.10.0

1.10.0

Description

Summary

When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.

Mitigation:

Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41

Background / details

To be published on Dec 8.