CVE-2024-52596

NameCVE-2024-52596
DescriptionSimpleSAMLphp xml-common is a common classes for handling XML-structures. When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. This vulnerability is fixed in 1.19.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3981-1, DSA-5822-1
Debian Bugs1088904

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
simplesamlphp (PTS)bullseye1.19.0-1vulnerable
bullseye (security)1.19.0-1+deb11u1fixed
bookworm (security)1.19.7-1+deb12u1fixed
sid, trixie, bookworm1.19.7-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
simplesamlphpsourcebullseye1.19.0-1+deb11u1DLA-3981-1
simplesamlphpsourcebookworm1.19.7-1+deb12u1DSA-5822-1
simplesamlphpsource(unstable)(unfixed)1088904

Notes

https://github.com/simplesamlphp/simplesamlphp/releases/tag/v2.3.4
https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm
Fixed by: https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5
Mitigation: Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options from $options.
Search for package or bug name: Reporting problems