3.1 - CVE-2020-5301

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Informations
Name	CVE-2020-5301	First vendor Publication	2020-04-21
Vendor	Cve	Last vendor Modification	2024-11-21

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Overall CVSS Score	3.1
Base Score	3.1	Environmental Score	3.1
impact SubScore	1.4	Temporal Score	3.1
Exploitabality Sub Score	1.6

Attack Vector	Network	Attack Complexity	High
Privileges Required	Low	User Interaction	None
Scope	Unchanged	Confidentiality Impact	Low
Integrity Impact	None	Availability Impact	None
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:S/C:P/I:N/A:N)
Cvss Base Score	3.5	Attack Range	Network
Cvss Impact Score	2.9	Attack Complexity	Medium
Cvss Expoit Score	6.8	Authentication	Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

SimpleSAMLphp versions before 1.18.6 contain an information disclosure vulnerability. The module controller in `SimpleSAML\Module` that processes requests for pages hosted by modules, has code to identify paths ending with `.php` and process those as PHP code. If no other suitable way of handling the given path exists it presents the file to the browser. The check to identify paths ending with `.php` does not account for uppercase letters. If someone requests a path ending with e.g. `.PHP` and the server is serving the code from a case-insensitive file system, such as on Windows, the processing of the PHP code does not occur, and the source code is instead presented to the browser. An attacker may use this issue to gain access to the source code in third-party modules that is meant to be private, or even sensitive. However, the attack surface is considered small, as the attack will only work when SimpleSAMLphp serves such content from a file system that is not case-sensitive, such as on Windows. This issue is fixed in version 1.18.6.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5301

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-178	Failure to Resolve Case Sensitivity (CWE/SANS Top 25)

CPE : Common Platform Enumeration

Type	Description	Count
Application	Simplesamlphp cpe:2.3:a:simplesamlphp:simplesamlphp:1.9.2:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.9.1:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.9.0:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.9:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.8.3:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.8.2:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.8.1:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.8.0:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.8:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.7.0:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.7:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.6.3:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.6.2:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.6.1:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.6:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.5.1:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.5:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.4.10:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.4:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.3:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.2:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.14.9:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.14.8:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.14.7:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.14.6:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.14.5:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.14.4:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.14.3:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.14.2:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.14.13:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.14.12:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.14.11:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.14.10:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.14.1:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.14.0:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.14:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.13.2:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.13.1:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.13.0:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.13:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.12.0:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.12:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.11.0:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.11:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.10.0:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.10:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.1:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:1.0:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:0.5:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp:0.4:::::::* cpe:2.3:a:simplesamlphp:simplesamlphp::::::::	51

Sources (Detail)

https://github.com/simplesamlphp/simplesamlphp/commit/47968d26a2fd3ed52da70dc...
https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-24m3-...

Source	Url

Alert History

If you want to see full details history, please login or register.

Date	Informations
2024-11-28 13:45:59	Multiple Updates
2021-09-14 17:23:14	Multiple Updates
2021-05-04 13:55:37	Multiple Updates
2021-04-22 03:06:17	Multiple Updates
2020-05-23 02:37:00	First insertion

3.1 - CVE-2020-5301

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

CPE : Common Platform Enumeration

Sources (Detail)

Alert History

Global Informations

Open Standards

COMPANY

STANDARDS

RECENT POSTS

MENU