CVE-2024-52806
📋 TL;DR
This CVE describes an XML External Entity (XXE) vulnerability in SimpleSAMLphp SAML2 library that allows attackers to read arbitrary files from the server or perform server-side request forgery when processing untrusted XML documents like SAML responses. Any application using vulnerable versions of this library for SAML authentication is affected. The vulnerability can lead to sensitive data exposure and potential server compromise.
💻 Affected Systems
- SimpleSAMLphp SAML2 library
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through file disclosure of sensitive configuration files (database credentials, private keys) followed by remote code execution or lateral movement within the network.
Likely Case
Unauthorized access to sensitive server files including configuration files, source code, and system files, potentially leading to credential theft and further exploitation.
If Mitigated
Limited impact with proper network segmentation, file system permissions, and external entity processing disabled at system level.
🎯 Exploit Status
Exploitation requires ability to submit XML to the SAML processing endpoint. Complexity is medium due to need for understanding SAML protocol and XXE payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.6.14 or 5.0.0-alpha.18
Vendor Advisory: https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2
Restart Required: No
Instructions:
1. Update SimpleSAMLphp SAML2 library to version 4.6.14 or 5.0.0-alpha.18. 2. Run composer update simplesamlphp/saml2. 3. Clear any PHP opcode caches. 4. Test SAML authentication functionality.
🔧 Temporary Workarounds
Disable external entity processing in PHP
PHPConfigure PHP to disable external entity loading globally
php -i | grep libxml
Add 'libxml_disable_entity_loader(true);' to application bootstrap
🧯 If You Can't Patch
- Implement WAF rules to block XXE patterns in XML payloads
- Use XML schema validation to reject malformed SAML responses before processing
🔍 How to Verify
Check if Vulnerable:
Check composer.json or vendor/simplesamlphp/saml2/VERSION file for version number below 4.6.14 or 5.0.0-alpha.18Check Version:
grep -r 'simplesamlphp/saml2' composer.lock | grep versionVerify Fix Applied:
Verify version is 4.6.14 or higher, or 5.0.0-alpha.18 or higher. Test with known safe XXE payload to confirm rejection.📡 Detection & Monitoring
Log Indicators:
- XML parsing errors mentioning external entities
- Unusual file access patterns from web process
- Large XML payloads to SAML endpoints
Network Indicators:
- XML payloads containing SYSTEM or PUBLIC declarations
- HTTP requests to SAML endpoints with unusual Content-Type headers
SIEM Query:
source="web_logs" AND (uri="*/saml2/*" OR uri="*/sso/*") AND (message="*entity*" OR message="*XXE*" OR message="*external*" OR size>100000)