Improper Input Validation Affecting simplesamlphp/saml2 package, versions >=5.0.0-alpha.12, <5.0.0-alpha.13


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.19% (10th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-SIMPLESAMLPHPSAML2-6094944
  • published29 Nov 2023
  • disclosed28 Nov 2023
  • creditUnknown

Introduced: 28 Nov 2023

CVE-2023-49087  (opens in a new tab)
CWE-20  (opens in a new tab)

How to fix?

Upgrade simplesamlphp/saml2 to version 5.0.0-alpha.13 or higher.

Overview

Affected versions of this package are vulnerable to Improper Input Validation via the SignedElementTrait::validateReference and SignedElementTrait::verifyInternal functions. An attacker can manipulate the canonicalized version's DigestValue, potentially forging the signature by exploiting a bug in PHP's canonicalization function.

References

CVSS Base Scores

version 3.1