Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
10 vulnerabilities found for omniauth_saml by omniauth
CVE-2025-25292 (GCVE-0-2025-25292)
Vulnerability from cvelistv5 – Published: 2025-03-12 20:53 – Updated: 2025-11-03 19:45
VLAI
Title
Ruby SAML vulnerable to SAML authentication bypass due to namespace handling (parser differential)
Summary
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
13 references
| URL | Tags |
|---|---|
| https://github.com/SAML-Toolkits/ruby-saml/securi… | x_refsource_CONFIRM |
| https://github.com/omniauth/omniauth-saml/securit… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/commit… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/commit… | x_refsource_MISC |
| https://about.gitlab.com/releases/2025/03/12/patc… | x_refsource_MISC |
| https://github.blog/security/sign-in-as-anyone-by… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/releas… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/releas… | x_refsource_MISC |
| https://portswigger.net/research/saml-roulette-th… | x_refsource_MISC |
| https://securitylab.github.com/advisories/GHSL-20… | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2025031… | |
| https://news.ycombinator.com/item?id=43374519 | |
| https://lists.debian.org/debian-lts-announce/2025… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SAML-Toolkits | ruby-saml |
Affected:
< 1.12.4
Affected: >= 1.13.0, < 1.18.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:45:01.139Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250314-0009/"
},
{
"url": "https://news.ycombinator.com/item?id=43374519"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00011.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25292",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-18T14:32:48.636527Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T14:32:54.612Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ruby-saml",
"vendor": "SAML-Toolkits",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.4"
},
{
"status": "affected",
"version": "\u003e= 1.13.0, \u003c 1.18.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-12T19:06:17.813Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-754f-8gm6-c4r2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-754f-8gm6-c4r2"
},
{
"name": "https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97"
},
{
"name": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released",
"tags": [
"x_refsource_MISC"
],
"url": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released"
},
{
"name": "https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0"
},
{
"name": "https://portswigger.net/research/saml-roulette-the-hacker-always-wins",
"tags": [
"x_refsource_MISC"
],
"url": "https://portswigger.net/research/saml-roulette-the-hacker-always-wins"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2024-329_GHSL-2024-330_ruby-saml",
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2024-329_GHSL-2024-330_ruby-saml"
}
],
"source": {
"advisory": "GHSA-754f-8gm6-c4r2",
"discovery": "UNKNOWN"
},
"title": "Ruby SAML vulnerable to SAML authentication bypass due to namespace handling (parser differential)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-25292",
"datePublished": "2025-03-12T20:53:24.353Z",
"dateReserved": "2025-02-06T17:13:33.122Z",
"dateUpdated": "2025-11-03T19:45:01.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-25291 (GCVE-0-2025-25291)
Vulnerability from cvelistv5 – Published: 2025-03-12 20:16 – Updated: 2025-11-03 19:44
VLAI
Title
ruby-saml vulnerable to SAML authentication bypass due to DOCTYPE handling (parser differential)
Summary
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
13 references
| URL | Tags |
|---|---|
| https://github.com/SAML-Toolkits/ruby-saml/securi… | x_refsource_CONFIRM |
| https://github.com/omniauth/omniauth-saml/securit… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/commit… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/commit… | x_refsource_MISC |
| https://about.gitlab.com/releases/2025/03/12/patc… | x_refsource_MISC |
| https://github.blog/security/sign-in-as-anyone-by… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/releas… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/releas… | x_refsource_MISC |
| https://portswigger.net/research/saml-roulette-th… | x_refsource_MISC |
| https://securitylab.github.com/advisories/GHSL-20… | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2025031… | |
| https://news.ycombinator.com/item?id=43374519 | |
| https://lists.debian.org/debian-lts-announce/2025… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SAML-Toolkits | ruby-saml |
Affected:
< 1.12.4
Affected: >= 1.13.0, < 1.18.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25291",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T20:06:31.066662Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T20:06:50.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:44:59.719Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250314-0010/"
},
{
"url": "https://news.ycombinator.com/item?id=43374519"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ruby-saml",
"vendor": "SAML-Toolkits",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.4"
},
{
"status": "affected",
"version": "\u003e= 1.13.0, \u003c 1.18.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-12T19:07:07.030Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-4vc4-m8qh-g8jm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-4vc4-m8qh-g8jm"
},
{
"name": "https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97"
},
{
"name": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released",
"tags": [
"x_refsource_MISC"
],
"url": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released"
},
{
"name": "https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0"
},
{
"name": "https://portswigger.net/research/saml-roulette-the-hacker-always-wins",
"tags": [
"x_refsource_MISC"
],
"url": "https://portswigger.net/research/saml-roulette-the-hacker-always-wins"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2024-329_GHSL-2024-330_ruby-saml",
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2024-329_GHSL-2024-330_ruby-saml"
}
],
"source": {
"advisory": "GHSA-4vc4-m8qh-g8jm",
"discovery": "UNKNOWN"
},
"title": "ruby-saml vulnerable to SAML authentication bypass due to DOCTYPE handling (parser differential)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-25291",
"datePublished": "2025-03-12T20:16:12.181Z",
"dateReserved": "2025-02-06T17:13:33.122Z",
"dateUpdated": "2025-11-03T19:44:59.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-25293 (GCVE-0-2025-25293)
Vulnerability from cvelistv5 – Published: 2025-03-12 20:11 – Updated: 2025-11-03 19:45
VLAI
Title
ruby-saml vulnerable to Remote Denial of Service (DoS) with compressed SAML responses
Summary
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
11 references
| URL | Tags |
|---|---|
| https://github.com/SAML-Toolkits/ruby-saml/securi… | x_refsource_CONFIRM |
| https://github.com/omniauth/omniauth-saml/securit… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/commit… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/commit… | x_refsource_MISC |
| https://about.gitlab.com/releases/2025/03/12/patc… | x_refsource_MISC |
| https://github.blog/security/sign-in-as-anyone-by… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/releas… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/releas… | x_refsource_MISC |
| https://securitylab.github.com/advisories/GHSL-20… | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2025031… | |
| https://lists.debian.org/debian-lts-announce/2025… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SAML-Toolkits | ruby-saml |
Affected:
< 1.12.4
Affected: >= 1.13.0, < 1.18.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25293",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-12T20:36:09.253658Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-12T20:36:17.830Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:45:02.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250314-0008/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ruby-saml",
"vendor": "SAML-Toolkits",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.4"
},
{
"status": "affected",
"version": "\u003e= 1.13.0, \u003c 1.18.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they\u0027re compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-12T19:05:32.311Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-92rq-c8cf-prrq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-92rq-c8cf-prrq"
},
{
"name": "https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349a"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/commit/e2da4c6dae7dc01a4d9cd221395140a67e2b3eb1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/e2da4c6dae7dc01a4d9cd221395140a67e2b3eb1"
},
{
"name": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released",
"tags": [
"x_refsource_MISC"
],
"url": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released"
},
{
"name": "https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2024-355_ruby-saml",
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2024-355_ruby-saml"
}
],
"source": {
"advisory": "GHSA-92rq-c8cf-prrq",
"discovery": "UNKNOWN"
},
"title": "ruby-saml vulnerable to Remote Denial of Service (DoS) with compressed SAML responses"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-25293",
"datePublished": "2025-03-12T20:11:08.860Z",
"dateReserved": "2025-02-06T17:13:33.122Z",
"dateUpdated": "2025-11-03T19:45:02.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-45409 (GCVE-0-2024-45409)
Vulnerability from cvelistv5 – Published: 2024-09-10 18:50 – Updated: 2024-11-11 17:02
VLAI
Title
The Ruby SAML library vulnerable to a SAML authentication bypass via Incorrect XPath selector
Summary
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.
Severity
10 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
8 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| SAML-Toolkits | ruby-saml |
Affected:
< 1.12.3
Affected: >= 1.13.0, < 1.17.0 |
|
| onelogin | ruby-saml |
Affected:
0 , < 1.12.3
(custom)
Affected: 1.13.0 , < 1.17.0 (custom) cpe:2.3:a:onelogin:ruby-saml:*:*:*:*:*:*:*:* |
|
| omniauth | omniauth-saml |
Affected:
0 , ≤ 2.1.0
(custom)
cpe:2.3:a:omniauth:omniauth-saml:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:onelogin:ruby-saml:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ruby-saml",
"vendor": "onelogin",
"versions": [
{
"lessThan": "1.12.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.17.0",
"status": "affected",
"version": "1.13.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:omniauth:omniauth-saml:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "omniauth-saml",
"vendor": "omniauth",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45409",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-23T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T03:55:11.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-11-11T17:02:31.329Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://ssoready.com/blog/engineering/ruby-saml-pwned-by-xml-signature-wrapping-attacks/"
},
{
"url": "https://news.ycombinator.com/item?id=41586031"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240926-0008/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00006.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ruby-saml",
"vendor": "SAML-Toolkits",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.3"
},
{
"status": "affected",
"version": "\u003e= 1.13.0, \u003c 1.17.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in \u003c= 12.2 and 1.13.0 \u003c= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T21:03:29.185Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2"
},
{
"name": "https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae7"
}
],
"source": {
"advisory": "GHSA-jw9c-mfg7-9rx2",
"discovery": "UNKNOWN"
},
"title": "The Ruby SAML library vulnerable to a SAML authentication bypass via Incorrect XPath selector"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45409",
"datePublished": "2024-09-10T18:50:12.965Z",
"dateReserved": "2024-08-28T20:21:32.804Z",
"dateUpdated": "2024-11-11T17:02:31.329Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-11430 (GCVE-0-2017-11430)
Vulnerability from cvelistv5 – Published: 2019-04-17 14:00 – Updated: 2024-08-05 18:12
VLAI
Title
Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal
Summary
OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
Severity
7.7 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://duo.com/blog/duo-finds-saml-vulnerabiliti… | x_refsource_MISC |
| https://www.kb.cert.org/vuls/id/475445 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OmniAuth | OmnitAuth-SAML |
Affected:
unspecified , < 1.9.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:12:39.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/475445"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OmnitAuth-SAML",
"vendor": "OmniAuth",
"versions": [
{
"lessThan": "1.9.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kelby Ludwig of Duo Security"
}
],
"descriptions": [
{
"lang": "en",
"value": "OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-17T14:00:30.000Z",
"orgId": "7cd4c57f-0a88-4dda-be53-70336b413766",
"shortName": "duo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.kb.cert.org/vuls/id/475445"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@duo.com",
"ID": "CVE-2017-11430",
"STATE": "PUBLIC",
"TITLE": "Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OmnitAuth-SAML",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "1.9.0"
}
]
}
}
]
},
"vendor_name": "OmniAuth"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kelby Ludwig of Duo Security"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations",
"refsource": "MISC",
"url": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations"
},
{
"name": "https://www.kb.cert.org/vuls/id/475445",
"refsource": "MISC",
"url": "https://www.kb.cert.org/vuls/id/475445"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7cd4c57f-0a88-4dda-be53-70336b413766",
"assignerShortName": "duo",
"cveId": "CVE-2017-11430",
"datePublished": "2019-04-17T14:00:30.000Z",
"dateReserved": "2017-07-18T00:00:00.000Z",
"dateUpdated": "2024-08-05T18:12:39.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25292 (GCVE-0-2025-25292)
Vulnerability from nvd – Published: 2025-03-12 20:53 – Updated: 2025-11-03 19:45
VLAI
Title
Ruby SAML vulnerable to SAML authentication bypass due to namespace handling (parser differential)
Summary
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
13 references
| URL | Tags |
|---|---|
| https://github.com/SAML-Toolkits/ruby-saml/securi… | x_refsource_CONFIRM |
| https://github.com/omniauth/omniauth-saml/securit… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/commit… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/commit… | x_refsource_MISC |
| https://about.gitlab.com/releases/2025/03/12/patc… | x_refsource_MISC |
| https://github.blog/security/sign-in-as-anyone-by… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/releas… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/releas… | x_refsource_MISC |
| https://portswigger.net/research/saml-roulette-th… | x_refsource_MISC |
| https://securitylab.github.com/advisories/GHSL-20… | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2025031… | |
| https://news.ycombinator.com/item?id=43374519 | |
| https://lists.debian.org/debian-lts-announce/2025… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SAML-Toolkits | ruby-saml |
Affected:
< 1.12.4
Affected: >= 1.13.0, < 1.18.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:45:01.139Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250314-0009/"
},
{
"url": "https://news.ycombinator.com/item?id=43374519"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00011.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25292",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-18T14:32:48.636527Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T14:32:54.612Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ruby-saml",
"vendor": "SAML-Toolkits",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.4"
},
{
"status": "affected",
"version": "\u003e= 1.13.0, \u003c 1.18.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-12T19:06:17.813Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-754f-8gm6-c4r2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-754f-8gm6-c4r2"
},
{
"name": "https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97"
},
{
"name": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released",
"tags": [
"x_refsource_MISC"
],
"url": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released"
},
{
"name": "https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0"
},
{
"name": "https://portswigger.net/research/saml-roulette-the-hacker-always-wins",
"tags": [
"x_refsource_MISC"
],
"url": "https://portswigger.net/research/saml-roulette-the-hacker-always-wins"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2024-329_GHSL-2024-330_ruby-saml",
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2024-329_GHSL-2024-330_ruby-saml"
}
],
"source": {
"advisory": "GHSA-754f-8gm6-c4r2",
"discovery": "UNKNOWN"
},
"title": "Ruby SAML vulnerable to SAML authentication bypass due to namespace handling (parser differential)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-25292",
"datePublished": "2025-03-12T20:53:24.353Z",
"dateReserved": "2025-02-06T17:13:33.122Z",
"dateUpdated": "2025-11-03T19:45:01.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-25291 (GCVE-0-2025-25291)
Vulnerability from nvd – Published: 2025-03-12 20:16 – Updated: 2025-11-03 19:44
VLAI
Title
ruby-saml vulnerable to SAML authentication bypass due to DOCTYPE handling (parser differential)
Summary
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
13 references
| URL | Tags |
|---|---|
| https://github.com/SAML-Toolkits/ruby-saml/securi… | x_refsource_CONFIRM |
| https://github.com/omniauth/omniauth-saml/securit… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/commit… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/commit… | x_refsource_MISC |
| https://about.gitlab.com/releases/2025/03/12/patc… | x_refsource_MISC |
| https://github.blog/security/sign-in-as-anyone-by… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/releas… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/releas… | x_refsource_MISC |
| https://portswigger.net/research/saml-roulette-th… | x_refsource_MISC |
| https://securitylab.github.com/advisories/GHSL-20… | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2025031… | |
| https://news.ycombinator.com/item?id=43374519 | |
| https://lists.debian.org/debian-lts-announce/2025… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SAML-Toolkits | ruby-saml |
Affected:
< 1.12.4
Affected: >= 1.13.0, < 1.18.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25291",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T20:06:31.066662Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T20:06:50.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:44:59.719Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250314-0010/"
},
{
"url": "https://news.ycombinator.com/item?id=43374519"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ruby-saml",
"vendor": "SAML-Toolkits",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.4"
},
{
"status": "affected",
"version": "\u003e= 1.13.0, \u003c 1.18.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "CWE-436: Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-12T19:07:07.030Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-4vc4-m8qh-g8jm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-4vc4-m8qh-g8jm"
},
{
"name": "https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97"
},
{
"name": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released",
"tags": [
"x_refsource_MISC"
],
"url": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released"
},
{
"name": "https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0"
},
{
"name": "https://portswigger.net/research/saml-roulette-the-hacker-always-wins",
"tags": [
"x_refsource_MISC"
],
"url": "https://portswigger.net/research/saml-roulette-the-hacker-always-wins"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2024-329_GHSL-2024-330_ruby-saml",
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2024-329_GHSL-2024-330_ruby-saml"
}
],
"source": {
"advisory": "GHSA-4vc4-m8qh-g8jm",
"discovery": "UNKNOWN"
},
"title": "ruby-saml vulnerable to SAML authentication bypass due to DOCTYPE handling (parser differential)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-25291",
"datePublished": "2025-03-12T20:16:12.181Z",
"dateReserved": "2025-02-06T17:13:33.122Z",
"dateUpdated": "2025-11-03T19:44:59.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-25293 (GCVE-0-2025-25293)
Vulnerability from nvd – Published: 2025-03-12 20:11 – Updated: 2025-11-03 19:45
VLAI
Title
ruby-saml vulnerable to Remote Denial of Service (DoS) with compressed SAML responses
Summary
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
11 references
| URL | Tags |
|---|---|
| https://github.com/SAML-Toolkits/ruby-saml/securi… | x_refsource_CONFIRM |
| https://github.com/omniauth/omniauth-saml/securit… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/commit… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/commit… | x_refsource_MISC |
| https://about.gitlab.com/releases/2025/03/12/patc… | x_refsource_MISC |
| https://github.blog/security/sign-in-as-anyone-by… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/releas… | x_refsource_MISC |
| https://github.com/SAML-Toolkits/ruby-saml/releas… | x_refsource_MISC |
| https://securitylab.github.com/advisories/GHSL-20… | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2025031… | |
| https://lists.debian.org/debian-lts-announce/2025… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SAML-Toolkits | ruby-saml |
Affected:
< 1.12.4
Affected: >= 1.13.0, < 1.18.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25293",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-12T20:36:09.253658Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-12T20:36:17.830Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:45:02.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250314-0008/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00011.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ruby-saml",
"vendor": "SAML-Toolkits",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.4"
},
{
"status": "affected",
"version": "\u003e= 1.13.0, \u003c 1.18.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they\u0027re compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-12T19:05:32.311Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-92rq-c8cf-prrq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-92rq-c8cf-prrq"
},
{
"name": "https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349a"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/commit/e2da4c6dae7dc01a4d9cd221395140a67e2b3eb1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/e2da4c6dae7dc01a4d9cd221395140a67e2b3eb1"
},
{
"name": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released",
"tags": [
"x_refsource_MISC"
],
"url": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released"
},
{
"name": "https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0"
},
{
"name": "https://securitylab.github.com/advisories/GHSL-2024-355_ruby-saml",
"tags": [
"x_refsource_MISC"
],
"url": "https://securitylab.github.com/advisories/GHSL-2024-355_ruby-saml"
}
],
"source": {
"advisory": "GHSA-92rq-c8cf-prrq",
"discovery": "UNKNOWN"
},
"title": "ruby-saml vulnerable to Remote Denial of Service (DoS) with compressed SAML responses"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-25293",
"datePublished": "2025-03-12T20:11:08.860Z",
"dateReserved": "2025-02-06T17:13:33.122Z",
"dateUpdated": "2025-11-03T19:45:02.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-45409 (GCVE-0-2024-45409)
Vulnerability from nvd – Published: 2024-09-10 18:50 – Updated: 2024-11-11 17:02
VLAI
Title
The Ruby SAML library vulnerable to a SAML authentication bypass via Incorrect XPath selector
Summary
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.
Severity
10 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
8 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| SAML-Toolkits | ruby-saml |
Affected:
< 1.12.3
Affected: >= 1.13.0, < 1.17.0 |
|
| onelogin | ruby-saml |
Affected:
0 , < 1.12.3
(custom)
Affected: 1.13.0 , < 1.17.0 (custom) cpe:2.3:a:onelogin:ruby-saml:*:*:*:*:*:*:*:* |
|
| omniauth | omniauth-saml |
Affected:
0 , ≤ 2.1.0
(custom)
cpe:2.3:a:omniauth:omniauth-saml:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:onelogin:ruby-saml:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ruby-saml",
"vendor": "onelogin",
"versions": [
{
"lessThan": "1.12.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.17.0",
"status": "affected",
"version": "1.13.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:omniauth:omniauth-saml:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "omniauth-saml",
"vendor": "omniauth",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45409",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-23T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T03:55:11.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-11-11T17:02:31.329Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://ssoready.com/blog/engineering/ruby-saml-pwned-by-xml-signature-wrapping-attacks/"
},
{
"url": "https://news.ycombinator.com/item?id=41586031"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240926-0008/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00006.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ruby-saml",
"vendor": "SAML-Toolkits",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.3"
},
{
"status": "affected",
"version": "\u003e= 1.13.0, \u003c 1.17.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in \u003c= 12.2 and 1.13.0 \u003c= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T21:03:29.185Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2"
},
{
"name": "https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae"
},
{
"name": "https://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae7"
}
],
"source": {
"advisory": "GHSA-jw9c-mfg7-9rx2",
"discovery": "UNKNOWN"
},
"title": "The Ruby SAML library vulnerable to a SAML authentication bypass via Incorrect XPath selector"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45409",
"datePublished": "2024-09-10T18:50:12.965Z",
"dateReserved": "2024-08-28T20:21:32.804Z",
"dateUpdated": "2024-11-11T17:02:31.329Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-11430 (GCVE-0-2017-11430)
Vulnerability from nvd – Published: 2019-04-17 14:00 – Updated: 2024-08-05 18:12
VLAI
Title
Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal
Summary
OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
Severity
7.7 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://duo.com/blog/duo-finds-saml-vulnerabiliti… | x_refsource_MISC |
| https://www.kb.cert.org/vuls/id/475445 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OmniAuth | OmnitAuth-SAML |
Affected:
unspecified , < 1.9.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:12:39.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.kb.cert.org/vuls/id/475445"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OmnitAuth-SAML",
"vendor": "OmniAuth",
"versions": [
{
"lessThan": "1.9.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kelby Ludwig of Duo Security"
}
],
"descriptions": [
{
"lang": "en",
"value": "OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-17T14:00:30.000Z",
"orgId": "7cd4c57f-0a88-4dda-be53-70336b413766",
"shortName": "duo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.kb.cert.org/vuls/id/475445"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@duo.com",
"ID": "CVE-2017-11430",
"STATE": "PUBLIC",
"TITLE": "Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OmnitAuth-SAML",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "1.9.0"
}
]
}
}
]
},
"vendor_name": "OmniAuth"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kelby Ludwig of Duo Security"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations",
"refsource": "MISC",
"url": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations"
},
{
"name": "https://www.kb.cert.org/vuls/id/475445",
"refsource": "MISC",
"url": "https://www.kb.cert.org/vuls/id/475445"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7cd4c57f-0a88-4dda-be53-70336b413766",
"assignerShortName": "duo",
"cveId": "CVE-2017-11430",
"datePublished": "2019-04-17T14:00:30.000Z",
"dateReserved": "2017-07-18T00:00:00.000Z",
"dateUpdated": "2024-08-05T18:12:39.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}