CVE-2020-5301

SimpleSAMLphp versions before 1.18.6 contain an information disclosure vulnerability. The module controller in `SimpleSAML\Module` that processes requests for pages hosted by modules, has code to identify paths ending with `.php` and process those as PHP code. If no other suitable way of handling the given path exists it presents the file to the browser. The check to identify paths ending with `.php` does not account for uppercase letters. If someone requests a path ending with e.g. `.PHP` and the server is serving the code from a case-insensitive file system, such as on Windows, the processing of the PHP code does not occur, and the source code is instead presented to the browser. An attacker may use this issue to gain access to the source code in third-party modules that is meant to be private, or even sensitive. However, the attack surface is considered small, as the attack will only work when SimpleSAMLphp serves such content from a file system that is not case-sensitive, such as on Windows. This issue is fixed in version 1.18.6.

CVSS v3 3.1 LOW
CVSS v2.0 3.5 LOW

3.1^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.6 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:P/I:N/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/simplesamlphp/simplesamlphp/commit/47968d26a2fd3ed52da70dc09210921d612ce44e	Patch Third Party Advisory
https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-24m3-w8g9-jwpq	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:simplesamlphp:simplesamlphp:*:*:*:*:*:*:*:*

History

14 Sep 2021, 13:44

Type	Values Removed	Values Added
CWE	~~CWE-200~~	CWE-178

Information

Published : 2020-04-21 20:15

Updated : 2023-12-10 13:27

NVD link : CVE-2020-5301

Mitre link : CVE-2020-5301

CVE.ORG link : CVE-2020-5301

JSON object : View

Products Affected

simplesamlphp

simplesamlphp

CWE

CWE-178

Improper Handling of Case Sensitivity

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2020-5301", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.6}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.0, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.3}]}, "published": "2020-04-21T20:15:13.260", "references": [{"url": "https://github.com/simplesamlphp/simplesamlphp/commit/47968d26a2fd3ed52da70dc09210921d612ce44e", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-24m3-w8g9-jwpq", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-178"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "SimpleSAMLphp versions before 1.18.6 contain an information disclosure vulnerability. The module controller in `SimpleSAML\\Module` that processes requests for pages hosted by modules, has code to identify paths ending with `.php` and process those as PHP code. If no other suitable way of handling the given path exists it presents the file to the browser. The check to identify paths ending with `.php` does not account for uppercase letters. If someone requests a path ending with e.g. `.PHP` and the server is serving the code from a case-insensitive file system, such as on Windows, the processing of the PHP code does not occur, and the source code is instead presented to the browser. An attacker may use this issue to gain access to the source code in third-party modules that is meant to be private, or even sensitive. However, the attack surface is considered small, as the attack will only work when SimpleSAMLphp serves such content from a file system that is not case-sensitive, such as on Windows. This issue is fixed in version 1.18.6."}, {"lang": "es", "value": "Las versiones SimpleSAMLphp en versiones anteriores a la 1.18.6 contienen una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n. El controlador de m\u00f3dulos en `SimpleSAML\\Module` que procesa las peticiones de p\u00e1ginas alojadas por m\u00f3dulos, tiene c\u00f3digo para identificar las rutas que terminan en `.php` y procesarlas como c\u00f3digo PHP. Si no existe otra forma adecuada de manejar la ruta dada, presenta el archivo al navegador. La comprobaci\u00f3n para identificar los caminos que terminan en `.php` no tiene en cuenta las may\u00fasculas. Si alguien solicita un camino que termina por ejemplo con `.PHP` y el servidor est\u00e1 sirviendo el c\u00f3digo de un sistema de archivos que no distingue entre may\u00fasculas y min\u00fasculas, como en Windows, el procesamiento del c\u00f3digo PHP no ocurre, y el c\u00f3digo fuente se presenta en su lugar al navegador. Un atacante puede utilizar este problema para obtener acceso al c\u00f3digo fuente en m\u00f3dulos de terceros que se supone que son privados, o incluso sensibles. Sin embargo, se considera que la superficie de ataque es peque\u00f1a, ya que el ataque s\u00f3lo funcionar\u00e1 cuando SimpleSAMLphp sirva ese contenido desde un sistema de archivos que no distinga entre may\u00fasculas y min\u00fasculas, como en Windows. Este problema est\u00e1 corregido en la versi\u00f3n 1.18.6."}], "lastModified": "2021-09-14T13:44:27.607", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:simplesamlphp:simplesamlphp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AD186CF9-4548-455F-8A4C-F4D8FD572416", "versionEndExcluding": "1.18.6"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}