Lucene search

[email protected]CVE-2023-26267

HistoryFeb 21, 2023 - 9:15 a.m.

CVE-2023-26267

2023-02-2109:15:13

CWE-611

[email protected]

web.nvd.nist.gov

cve-2023-26267

php-saml-sp

security vulnerability

xml

external entities

file reading

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.6 Medium

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

27.3%

JSON

php-saml-sp before 1.1.1 and 2.x before 2.1.1 allows reading arbitrary files as the webserver user because resolving XML external entities was silently enabled via \LIBXML_DTDLOAD | \LIBXML_DTDATTR.

CPENameOperatorVersion
php-saml-sp_project:php-saml-spphp-saml-sp project php-saml-splt1.1.1
php-saml-sp_project:php-saml-spphp-saml-sp project php-saml-speq0.3.1
php-saml-sp_project:php-saml-spphp-saml-sp project php-saml-speq0.4.0
php-saml-sp_project:php-saml-spphp-saml-sp project php-saml-speq0.2.2
php-saml-sp_project:php-saml-spphp-saml-sp project php-saml-speq0.5.7
php-saml-sp_project:php-saml-spphp-saml-sp project php-saml-speq0.4.1
php-saml-sp_project:php-saml-spphp-saml-sp project php-saml-speq1.0.2
php-saml-sp_project:php-saml-spphp-saml-sp project php-saml-speq0.5.3
php-saml-sp_project:php-saml-spphp-saml-sp project php-saml-speq0.3.2
php-saml-sp_project:php-saml-spphp-saml-sp project php-saml-speq0.5.5

CPE	Name	Operator	Version
php-saml-sp_project:php-saml-sp	php-saml-sp project php-saml-sp	lt	1.1.1
php-saml-sp_project:php-saml-sp	php-saml-sp project php-saml-sp	eq	0.3.1
php-saml-sp_project:php-saml-sp	php-saml-sp project php-saml-sp	eq	0.4.0
php-saml-sp_project:php-saml-sp	php-saml-sp project php-saml-sp	eq	0.2.2
php-saml-sp_project:php-saml-sp	php-saml-sp project php-saml-sp	eq	0.5.7
php-saml-sp_project:php-saml-sp	php-saml-sp project php-saml-sp	eq	0.4.1
php-saml-sp_project:php-saml-sp	php-saml-sp project php-saml-sp	eq	1.0.2
php-saml-sp_project:php-saml-sp	php-saml-sp project php-saml-sp	eq	0.5.3
php-saml-sp_project:php-saml-sp	php-saml-sp project php-saml-sp	eq	0.3.2
php-saml-sp_project:php-saml-sp	php-saml-sp project php-saml-sp	eq	0.5.5

Rows per page:

1-10 of 321

References

git.sr.ht/~fkooman/php-saml-sp/commit/851f75b298a77e62d9022f1b170f662f5f7716d6

git.sr.ht/~fkooman/php-saml-sp/log

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.6 Medium

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

27.3%

JSON

Related for CVE-2023-26267

prion1 cvelist1