low
3.5
CWE
178 200
Advisory Published
CVE Published
Updated

CVE-2020-5301: Information disclosure of source code in SimpleSAMLphp

First published: Tue Apr 17 2018(Updated: )

### Background The module controller in `SimpleSAML\Module` that processes requests for pages hosted by modules, has code to identify paths ending with `.php` and process those as PHP code. If no other suitable way of handling the given path exists it presents the file to the browser. ### Description The check to identify paths ending with `.php` does not account for uppercase letters. If someone requests a path ending with e.g. `.PHP` and the server is serving the code from a case-insensitive file system, such as on Windows, the processing of the PHP code does not occur, and the source code is instead presented to the browser. ### Affected versions SimpleSAMLphp versions **1.18.5 and older**. ### Impact An attacker may use this issue to gain access to the source code in third-party modules that is meant to be private, or even sensitive. However, the attack surface is considered small, as the attack will only work when SimpleSAMLphp serves such content from a file system that is not case-sensitive, such as on Windows. ### Resolution Upgrade the SimpleSAMLphp installation to version **1.18.6**. ### Credit This vulnerability was discovered and reported by Sławek Naczyński.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
composer/simplesamlphp/simplesamlphp<1.18.6
composer/simplesamlphp/simplesamlphp<1.18.6
1.18.6
SimpleSAMLphp<1.18.6

Remedy

https://github.com/simplesamlphp/simplesamlphp/commit/47968d26a2fd3ed52da70dc09210921d612ce44e

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the vulnerability ID for this information disclosure vulnerability?

    The vulnerability ID for this information disclosure vulnerability is CVE-2020-5301.

  • What is the severity level of CVE-2020-5301?

    CVE-2020-5301 has a severity level of low, with a severity value of 3.1.

  • What does CVE-2020-5301 affect?

    CVE-2020-5301 affects SimpleSAMLphp versions before 1.18.6.

  • How can I fix CVE-2020-5301?

    To fix CVE-2020-5301, you should update SimpleSAMLphp to version 1.18.6 or later.

  • Where can I find more information about CVE-2020-5301?

    You can find more information about CVE-2020-5301 on the SimpleSAMLphp website and on the GitHub page for the project.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203