CVE-2024-45409

EUVD-2024-2828
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
GitHub_MCNA
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
Affected Products (NVD)
VendorProductVersion
oneloginruby-saml
𝑥
< 1.12.3
oneloginruby-saml
1.13.0 ≤
𝑥
< 1.17.0
omniauthomniauth_saml
𝑥
≤ 1.10.3
omniauthomniauth_saml
2.0.0
omniauthomniauth_saml
2.1.0
gitlabgitlab
𝑥
< 16.11.10
gitlabgitlab
17.0.0 ≤
𝑥
< 17.0.8
gitlabgitlab
17.1.0 ≤
𝑥
< 17.1.8
gitlabgitlab
17.2.0 ≤
𝑥
< 17.2.7
gitlabgitlab
17.3.0 ≤
𝑥
< 17.3.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-saml
bookworm
1.13.0-1+deb12u1
fixed
bookworm (security)
1.13.0-1+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
1.11.0-1+deb11u3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby-saml
bionic
Fixed 1.7.2-1ubuntu0.1~esm1
released
focal
Fixed 1.11.0-1ubuntu0.1
released
jammy
Fixed 1.13.0-1ubuntu0.1
released
noble
Fixed 1.15.0-1ubuntu0.24.04.1
released
oracular
Fixed 1.15.0-1ubuntu0.24.10.1
released
xenial
Fixed 1.1.2-1ubuntu1+esm1
released
Common Weakness Enumeration
References
https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae
https://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae7
https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq
https://lists.debian.org/debian-lts-announce/2024/11/msg00006.html
https://news.ycombinator.com/item?id=41586031
https://security.netapp.com/advisory/ntap-20240926-0008/
https://ssoready.com/blog/engineering/ruby-saml-pwned-by-xml-signature-wrapping-attacks/