Published: 17/04/2019 Updated: 09/10/2019

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

OneLogin Ruby-SAML 1.6.0 and previous versions may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.

Vulnerable Product	Search on Vulmon	Subscribe to Product
onelogin ruby-saml

Debian Bug report logs - #892865 CVE-2017-11428 Package: ruby-saml; Maintainer for ruby-saml is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Source for ruby-saml is src:ruby-saml (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Tue, 13 Mar 2018 22:2 ...

Ruby SAML Updating from 180 to 190 Version 180 better supports Ruby 24+ and JRuby 9200 Settings initialization now has a second parameter, keep_security_settings (default: false), which saves security settings attributes that are not explicitly overridden, if set to true Updating from 17X to 180 On Version 180, creating AuthRequests/LogoutRequests/LogoutRes

CWE-287 https://www.kb.cert.org/vuls/id/475445 https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892865 https://nvd.nist.gov https://www.kb.cert.org/vuls/id/475445

CVE-2017-11428

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect