Lucene search

RubySecRUBY:OMNIAUTH-SAML-2024-45409

HistoryAug 27, 2024 - 9:00 p.m.

SAML authentication bypass via Incorrect XPath selector

2024-08-2721:00:00

RubySec

github.com

saml authentication

ruby-saml

signature verification

unauthenticated attacker

saml response

arbitrary user

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

AI Score

7.2

Confidence

High

JSON

Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response.
An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML
Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within
the vulnerable system.

Affected configurations

Vulners

Node

rubyomniauth-samlRange≤2.2.0

VendorProductVersionCPE
rubyomniauth-saml*cpe:2.3:a:ruby:omniauth-saml:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	omniauth-saml	*	cpe:2.3:a:ruby:omniauth-saml::::::::

References

github.com/omniauth/omniauth-saml/commit/4274e9d57e65f2dcaae4aa3b2accf831494f2ddd

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

AI Score

7.2

Confidence

High

JSON

Related for RUBY:OMNIAUTH-SAML-2024-45409