CVE-2020-5301
Information disclosure of source code in SimpleSAMLphp
Description
### Background The module controller in `SimpleSAML\Module` that processes requests for pages hosted by modules, has code to identify paths ending with `.php` and process those as PHP code. If no other suitable way of handling the given path exists it presents the file to the browser. ### Description The check to identify paths ending with `.php` does not account for uppercase letters. If someone requests a path ending with e.g. `.PHP` and the server is serving the code from a case-insensitive file system, such as on Windows, the processing of the PHP code does not occur, and the source code is instead presented to the browser. ### Affected versions SimpleSAMLphp versions **1.18.5 and older**. ### Impact An attacker may use this issue to gain access to the source code in third-party modules that is meant to be private, or even sensitive. However, the attack surface is considered small, as the attack will only work when SimpleSAMLphp serves such content from a file system that is not case-sensitive, such as on Windows. ### Resolution Upgrade the SimpleSAMLphp installation to version **1.18.6**. ### Credit This vulnerability was discovered and reported by Sławek Naczyński.
How to fix CVE-2020-5301
To remediate CVE-2020-5301, upgrade the affected package to a fixed version below.
- —upgrade to 1.18.6 or later
Is CVE-2020-5301 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.18.6