8.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-52806

CVE-2024-52806: SimpleSAMLphp SAML2 has an XXE in parsing SAML messages

Summary

When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.

$options is defined as: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 including the DTDLoad option, which allows an attacker to read file contents from local file system OR internal network.

While there is the NONET option, an attacker can simply bypass if by using PHP filters: php://filter/convert.base64-encode/resource=http://URL OR FILE

From there an attacker can induce network connections and steal the targeted file OOB (haven't fully tested this).

RCE may be possible with the php://expect or php://phar wrappers, but this hasn't been tested.

Note: The mitigation here: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L63-L69 Comes too late, as the XML has already been loaded into a document. Mitigation:

Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options. Additionally, as a defense in depth measure, check if there is the string: <!DOCTYPE inside the XML before parsing it. (This is not a complete fix because someone may be able to exploit some parser differentials, to load a DOCTYPE, maybe through spacing like: <! DOCTYPE)

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-52806

CVE-2024-52806:

8.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
simplesamlphp/saml2	composer	< 4.6.14	4.6.14
simplesamlphp/saml2-legacy	composer	< 4.6.14	4.6.14

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the DOMDocumentFactory::fromString method in src/SAML2/DOMDocumentFactory.php. The original code (before patching) set $options = LIBXML_DTDLOAD | LIBXML_DTDATTR | LIBXML_NONET | LIBXML_PARSEHUGE, which explicitly enabled DTD loading. This configuration allowed attackers to supply XML with external entity references. The patch removed these dangerous flags, confirming their role in the vulnerability. The function's position in the XML processing flow (before security checks for DOCTYPE) made it the primary attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-52806: SimpleSAMLphp SAML2 has an XXE in parsing SAML messages

CVE-2024-52806:

8.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-52806: SimpleSAMLphp SAML2 has an XXE in parsing SAML messages

8.3

8.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI