HIGH 7.5
GHSA-5cjr-mxj5-wmrx
SimpleSAMLphp has Possible DoS via XPath Transform
Details
## Summary
This library turned out to be vulnerable to Denial-of-Service attacks using XPath transforms. A mitigation has been put in place to restrict the number of transforms and to restrict transforms to only the transform-algorithms mentioned in the SAML 2.0 Core Specifications (and specifically refuse XPath transforms).
## Impact
An attacker is able to send specially crafted messages to any entity relying on SimpleSAMLphp (or directly on this SAML2-library) to be able to perform a Denial-of-Service attack.
Are you affected?
Enter the version of the package you're using.
Affected packages
Packagist / simplesamlphp/saml2
Introduced in:
0 Fixed in: 4.20.3 Fix
composer require simplesamlphp/saml2:^4.20.3 Packagist / simplesamlphp/saml2-legacy
Introduced in:
0 Fixed in: 4.20.3 Fix
composer require simplesamlphp/saml2-legacy:^4.20.3