GHSA-vpr3-cw3h-prw8

Suggest an improvement
Source
https://github.com/advisories/GHSA-vpr3-cw3h-prw8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-vpr3-cw3h-prw8/GHSA-vpr3-cw3h-prw8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vpr3-cw3h-prw8
Published
2024-05-28T20:55:51Z
Modified
2024-12-03T06:08:33.102827Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
SimpleSAMLphp Reflected Cross-site Scripting vulnerability
Details

Background

SimpleSAMLphp uses metadata to determine how to interact with other SAML entities. This metadata includes what’s called endpoints, which are URLs belonging to that entity where SAML messages can be sent. These URLs are used directly by SimpleSAMLphp when a message is sent, either via an HTTP redirection or by automatically posting a form to them.

Description

When sending a SAML message to another entity, SimpleSAMLphp will use the URL of the appropriate endpoint to redirect the user’s browser to it, or craft a form that will be automatically posted to it, depending on the SAML binding used. The URL that’s target of the message is fetched from the stored metadata for the given entity, and that metadata is trusted as correct.

However, if that metadata has been altered by a malicious party (either an attacker or a rogue administrator) to substitute the URLs of the endpoints with javascript code, SimpleSAMLphp was blindly using them without any validation, trusting the contents of the metadata. This would lead to a reflected XSS where the javascript code is sent inline to the web browser, and if SimpleSAMLphp is not using a strict Content Security Policy to forbid inline javascript (which is the case of the default user interface), then the code will be executed in the end user’s browser.

Affected versions

All SimpleSAMLphp versions are affected, up to 1.17.2.

Impact

If metadata is consumed for a rogue entity that includes javascript code in the corresponding endpoints, this javascript code might be run by users trying to access this entity.

Even though it’s unlikely that an administrator would add metadata for an entity that contains such endpoints inadvertently, if metadata is consumed automatically (e.g. using metarefresh) it would be easier to have an scenario like the one described here if a SAML entity is compromised and its metadata modified.

The severity is assessed as medium given the difficulty to exploit the issue.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-28T20:55:51Z"
}
References

Affected packages

Packagist / simplesamlphp/simplesamlphp

Package

Name
simplesamlphp/simplesamlphp
Purl
pkg:composer/simplesamlphp/simplesamlphp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.12.0
Fixed
1.17.3

Affected versions

v1.*

v1.12.0
v1.13.0-rc1
v1.13.0-rc2
v1.13.0
v1.13.1
v1.13.2
v1.14.0-rc1
v1.14.0
v1.14.1
v1.14.2
v1.14.3
v1.14.4
v1.14.5
v1.14.6
v1.14.7
v1.14.8
v1.14.9
v1.14.10
v1.14.11
v1.14.12
v1.14.13
v1.14.14
v1.14.15
v1.14.16
v1.14.17
v1.15.0-rc1
v1.15.0-rc2
v1.15.0-rc3
v1.15.0
v1.15.1
v1.15.2
v1.15.3
v1.15.4
v1.17.0-rc1
v1.17.0-rc2
v1.17.0-rc3
v1.17.0
v1.17.1
v1.17.2

1.*

1.16.0-rc1
1.16.0
1.16.1
1.16.2
1.16.3