VulnerableCode Package Details - pkg:composer/simplesamlphp/saml2@5.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-18ax-mp8x-n7ap Aliases: CVE-2023-49087 GHSA-ww7x-3gxh-qm6r	Validation of SignedInfo Validation of an XML Signature requires verification that the hash value of the related XML-document (after any optional transformations and/or normalizations) matches a specific DigestValue-value, but also that the cryptografic signature on the SignedInfo-tree (the one that contains the DigestValue) verifies and matches a trusted public key. Within the simpleSAMLphp/xml-security library (https://github.com/simplesamlphp/xml-security), the hash is being validated using SignedElementTrait::validateReference, and the signature is being verified in SignedElementTrait::verifyInternal https://github.com/simplesamlphp/xml-security/blob/master/src/XML/SignedElementTrait.php: ![afbeelding](https://user-images.githubusercontent.com/841045/285817284-a7b7b3b4-768a-46e8-a34b-61790b6e23a5.png) What stands out is that the signature is being calculated over the canonical version of the SignedInfo-tree. The validateReference method, however, uses the original non-canonicalized version of SignedInfo. ### Impact If an attacker somehow (i.e. by exploiting a bug in PHP's canonicalization function) manages to manipulate the canonicalized version's DigestValue, it would be potentially be possible to forge the signature. No possibilities to exploit this were found during the investigation.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-18ax-mp8x-n7ap
Aliases:
CVE-2023-49087
GHSA-ww7x-3gxh-qm6r

Validation of SignedInfo Validation of an XML Signature requires verification that the hash value of the related XML-document (after any optional transformations and/or normalizations) matches a specific DigestValue-value, but also that the cryptografic signature on the SignedInfo-tree (the one that contains the DigestValue) verifies and matches a trusted public key. Within the simpleSAMLphp/xml-security library (https://github.com/simplesamlphp/xml-security), the hash is being validated using SignedElementTrait::validateReference, and the signature is being verified in SignedElementTrait::verifyInternal https://github.com/simplesamlphp/xml-security/blob/master/src/XML/SignedElementTrait.php: ![afbeelding](https://user-images.githubusercontent.com/841045/285817284-a7b7b3b4-768a-46e8-a34b-61790b6e23a5.png) What stands out is that the signature is being calculated over the canonical version of the SignedInfo-tree. The validateReference method, however, uses the original non-canonicalized version of SignedInfo. ### Impact If an attacker somehow (i.e. by exploiting a bug in PHP's canonicalization function) manages to manipulate the canonicalized version's DigestValue, it would be potentially be possible to forge the signature. No possibilities to exploit this were found during the investigation.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:46:28.895853+00:00	GitLab Importer	Affected by	VCID-18ax-mp8x-n7ap	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2023-49087.yml	38.6.0

2026-06-02T04:46:28.895853+00:00

GitLab Importer

Affected by

VCID-18ax-mp8x-n7ap

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2023-49087.yml

38.6.0

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	4.0