SCA: security update for simplesamlphp/simplesamlphp-module-casserver (GHSA-jrrg-99xh-5j2q)

high Tenable Self-Hosted Container Security Plugin ID 441985

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module.
Prior to version 7.0.3, simplesamlphp-module-casserver builds file paths for the file-based CAS ticket
store by directly concatenating the configured ticket directory with an attacker-controlled ticket
identifier. Public CAS validation/proxy endpoints pass attacker-controlled ticket / pgt query parameters
into this store. In deployments using FileSystemTicketStore, a remote attacker can use path traversal
sequences such as ../target.serialized to make the CAS server read and unserialize files outside the
ticket directory. In the CAS 1.0 validation flow, the same attacker-selected path is also passed to
deleteTicket() immediately after getTicket() returns, which can delete the target file when it is readable
by the PHP process, deletable under the PHP process filesystem permissions, and unserializes to a value
compatible with the ?array return type. This issue has been patched in version 7.0.3. (CVE-2026-46491)

Solution

Update the simplesamlphp/simplesamlphp-module-casserver library and its related packages to version 7.0.3 or later.

See Also

https://github.com/advisories/GHSA-jrrg-99xh-5j2q

Plugin Details

Severity: High

ID: 441985

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 5/15/2026

Updated: 6/10/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.9

Percentile: 52.76

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:C/A:P

CVSS Score Source: CVE-2026-46491

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/15/2026

Vulnerability Publication Date: 5/15/2026

Reference Information

CVE: CVE-2026-46491

cwe: CWE-22