Summary
SimpleSAMLphp Information Disclosure vulnerability
Background
SimpleSAMLphp 1.17 includes a preview of the new user interface to be included in the future version 2.0. This new user interface can be enabled by setting the usenewui configuration option to true, and it includes a new admin interface in a module called admin, which can be disabled.
Description
The new admin interface includes a way to view information about the host where SimpleSAMLphp is installed, by means of the phpinfo() PHP function. An endpoint that exposes the output of that function is included in the admin module for easier debugging.
The aforementioned endpoint had no checks for administrator privileges. This would allow any individual to access the given endpoint without authenticating, gathering information about the affected system.
Affected versions
All SimpleSAMLphp 1.17 versions up to 1.17.7 are affected, provided that the new, experimental use interface is enabled, together with the new admin module.
Resolution
Upgrade to SimpleSAMLphp 1.17.8 or 1.18. This can be done by downloading the package, or by running composer update. Refer to the documentation for instructions on how to run composer.
Alternatively, the issue can be mitigated by either disabling the new user interface by setting the usenewui configuration option to false, or by disabling the admin module in the configuration:
'module.enable' => [
...
'admin' => false,
...
],
Impact
An attacker could leverage this issue by accessing the unprotected endpoint and gather intelligence about the host where SimpleSAMLphp is deployed, using it later for their own advantage in case other issues arise.
However, the impact of this issue is deemed as low, given that the new user interface must be explicitly enabled by means of the usenewui configuration option, and the new admin module must also be enabled.
The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.
GHSA-PPM4-R2VC-PG74 has a CVSS score of 5.9 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.17.8); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-PPM4-R2VC-PG74? GHSA-PPM4-R2VC-PG74 is a medium-severity missing authorization vulnerability in simplesamlphp/simplesamlphp (composer), affecting versions >= 1.17.0, < 1.17.8. It is fixed in 1.17.8. The application does not perform an authorization check before performing a sensitive operation.
- How severe is GHSA-PPM4-R2VC-PG74? GHSA-PPM4-R2VC-PG74 has a CVSS score of 5.9 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of simplesamlphp/simplesamlphp are affected by GHSA-PPM4-R2VC-PG74? simplesamlphp/simplesamlphp (composer) versions >= 1.17.0, < 1.17.8 is affected.
- Is there a fix for GHSA-PPM4-R2VC-PG74? Yes. GHSA-PPM4-R2VC-PG74 is fixed in 1.17.8. Upgrade to this version or later.
- Is GHSA-PPM4-R2VC-PG74 exploitable, and should I be worried? Whether GHSA-PPM4-R2VC-PG74 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-PPM4-R2VC-PG74 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-PPM4-R2VC-PG74? Upgrade
simplesamlphp/simplesamlphpto 1.17.8 or later.