Information Exposure

Affecting simplesamlphp/simplesamlphp package, versions >=1.17.0, <1.17.8

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

simplesamlphp/simplesamlphp is a PHP implementation of a SAML 2.0 service provider and identity provider, also compatible with Shibboleth 1.3 and 2.0.

Affected versions of this package are vulnerable to Information Exposure. It is possible to access an unprotected endpoint part of SimpleSAMLphp, which contains deployment and debugging information.

Remediation

Upgrade simplesamlphp/simplesamlphp to version 1.17.8 or higher.

References

CVSS Score

3.1
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:R
Credit
Unknown
CWE
CWE-200
Snyk ID
SNYK-PHP-SIMPLESAMLPHPSIMPLESAMLPHP-536104
Disclosed
27 Nov, 2019
Published
01 Dec, 2019