Description

The web application uses SAML. The web application's SAML Consumer Service allows referencing to remote servers/local files (using KeyInfo RetrievalMethod and other methods). An unauthenticated attacker may be able to use it in order to read arbitrary files on the server or send requests to other servers (SSRF).

Remediation

Disable dereferencing for external resources

References

Ping'ing XMLSec

XML Signature Syntax and Processing Version 2.0

XML Signature Best Practices

Related Vulnerabilities

ColdFusion WDDX Deserialization RCE (CVE-2023-29300/CVE-2023-38203/CVE-2023-38204)

Apache Unomi MVEL RCE (CVE-2020-13942)

Zend Framework local file disclosure via XXE injection

WordPress Server-Side Request Forgery (SSRF) Vulnerability (CVE-2019-17670)

WordPress Plugin W3 Total Cache Multiple Vulnerabilities (0.9.4.1)

Severity

Medium

Classification

CWE-918 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Tags

Acumonitor SSRF