Description

The web application uses SAML. The web application's SAML Consumer Service allows referencing to remote servers/local files (using KeyInfo RetrievalMethod and other methods). An unauthenticated attacker may be able to use it in order to read arbitrary files on the server or send requests to other servers (SSRF).

Remediation

Disable dereferencing for external resources

References

Ping'ing XMLSec

XML Signature Syntax and Processing Version 2.0

XML Signature Best Practices

Related Vulnerabilities

XML external entity injection (variant)

WordPress Plugin Visualizer:Tables and Charts Manager for WordPress Multiple Vulnerabilities (3.3.0)

WordPress Plugin WP Smart Import: Import any XML File to WordPress Server-Side Request Forgery (1.0.0)

WordPress Plugin Import all XML, CSV & TXT into WordPress Server-Side Request Forgery (6.5.2)

VMware Horizon Log4Shell RCE

Severity

High

Classification

CWE-918 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Tags

Acumonitor SSRF