SCA: security update for simplesamlphp/simplesamlphp (GHSA-24m3-w8g9-jwpq)

low Tenable Self-Hosted Container Security Plugin ID 423374

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- SimpleSAMLphp versions before 1.18.6 contain an information disclosure vulnerability. The module
controller in `SimpleSAML\Module` that processes requests for pages hosted by modules, has code to
identify paths ending with `.php` and process those as PHP code. If no other suitable way of handling the
given path exists it presents the file to the browser. The check to identify paths ending with `.php` does
not account for uppercase letters. If someone requests a path ending with e.g. `.PHP` and the server is
serving the code from a case-insensitive file system, such as on Windows, the processing of the PHP code
does not occur, and the source code is instead presented to the browser. An attacker may use this issue to
gain access to the source code in third-party modules that is meant to be private, or even sensitive.
However, the attack surface is considered small, as the attack will only work when SimpleSAMLphp serves
such content from a file system that is not case-sensitive, such as on Windows. This issue is fixed in
version 1.18.6. (CVE-2020-5301)

See Also

https://github.com/advisories/GHSA-24m3-w8g9-jwpq

Plugin Details

Severity: Low

ID: 423374

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 3/29/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2020-5301

CVSS v3

Risk Factor: Low

Base Score: 3.1

Temporal Score: 2.7

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/22/2020

Vulnerability Publication Date: 4/21/2020

Reference Information

CVE: CVE-2020-5301