CVE-2018-6519

Vulnerability

The simplesamlphp/saml2 library before versions 1.10.4, 2.3.5, and 3.1.1 contains a Regular Expression Denial of Service (ReDoS) vulnerability in the timestamp validation function. When parsing a timestamp inside a SAML document, the library uses a regular expression that does not limit the number of digits allowed in the fraction-of-seconds component. An attacker can provide an arbitrary number of digits, causing the regex evaluation to consume excessive CPU time. [1][4]

Exploitation

An attacker needs only the ability to send a crafted SAML message (e.g., an assertion or protocol message) containing an xs:DateTime timestamp with an abnormally long fraction-of-seconds part. No authentication or special network position is required beyond the normal SAML exchange. The attacker submits the malicious timestamp, and when the library processes it, the regex backtracking leads to a denial of service condition. [4]

Impact

Successful exploitation results in the PHP process hanging or becoming unresponsive while evaluating the regular expression, effectively causing a denial of service (DoS) for the application using the library. This can disrupt authentication or other SAML-related operations. The CVSS score is 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H based on the NVD assessment. [1]

Mitigation

All affected versions (1.x before 1.10.4, 2.x before 2.3.5, and 3.x before 3.1.1) should be upgraded to the respective patched releases. The fix was included in versions 1.10.4, 2.3.5, and 3.1.1. There is no supported workaround; upgrading is the recommended resolution. No advisory for KEV was found. [4]