The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.
Metrics
Affected Vendors & Products
References
History
Fri, 22 Nov 2024 12:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Fri, 20 Sep 2024 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Gitlab
Gitlab gitlab Omniauth omniauth Saml |
|
CPEs | cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:* cpe:2.3:a:omniauth:omniauth_saml:*:*:*:*:*:ruby:*:* cpe:2.3:a:omniauth:omniauth_saml:2.0.0:*:*:*:*:ruby:*:* cpe:2.3:a:omniauth:omniauth_saml:2.1.0:*:*:*:*:ruby:*:* |
|
Vendors & Products |
Gitlab
Gitlab gitlab Omniauth omniauth Saml |
Wed, 11 Sep 2024 21:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Tue, 10 Sep 2024 20:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Omniauth
Omniauth omniauth-saml Onelogin Onelogin ruby-saml |
|
CPEs | cpe:2.3:a:omniauth:omniauth-saml:*:*:*:*:*:*:*:* cpe:2.3:a:onelogin:ruby-saml:*:*:*:*:*:*:*:* |
|
Vendors & Products |
Omniauth
Omniauth omniauth-saml Onelogin Onelogin ruby-saml |
|
Metrics |
ssvc
|
Tue, 10 Sep 2024 19:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3. | |
Title | The Ruby SAML library vulnerable to a SAML authentication bypass via Incorrect XPath selector | |
Weaknesses | CWE-347 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-09-10T18:50:12.965Z
Updated: 2024-11-11T17:02:31.329Z
Reserved: 2024-08-28T20:21:32.804Z
Link: CVE-2024-45409
Vulnrichment
Updated: 2024-11-11T17:02:31.329Z
NVD
Status : Modified
Published: 2024-09-10T19:15:22.030
Modified: 2024-11-21T09:37:44.377
Link: CVE-2024-45409
Redhat
No data.