esaml SAML Library XML External Entity Vulnerability Allowing Local File Read and Potential SSRF

A vulnerability allowing XML External Entity (XXE) attacks has been identified in the esaml SAML library and its forks. This vulnerability allows an attacker to manipulate the system into reading local files and incorporating their contents into SAML documents. Additionally, it could enable Server-Side Request Forgery (SSRF) through crafted SAML messages. The issue arises because esaml parses SAML messages controlled by the attacker using a function that does not disable XML entity expansion, prior to verifying signatures. On Erlang/OTP versions before 27, the Xmerl parser allows entity expansion by default, creating a window for pre-signature XXE attacks. Exploitation can lead to exposure of local file contents, such as Kubernetes-mounted secrets, through the SAML document or potentially via logs or error messages if the document is discarded due to failed signature verification.

Impact

Exploitation of this vulnerability could lead to unauthorized reading of local files, including sensitive information like Kubernetes secrets, and could facilitate SSRF attacks by allowing the attacker to craft SAML messages that trigger requests to internal services.

Remediation

Users are advised to upgrade to Erlang/OTP 27 or later, where the Xmerl parser disables entity expansion by default, mitigating this vulnerability without requiring changes to the esaml library.