Lucene search

RubySecRUBY:RUBY-SAML-2024-45409

HistoryAug 27, 2024 - 9:00 p.m.

SAML authentication bypass via Incorrect XPath selector

2024-08-2721:00:00

RubySec

github.com

saml

authentication bypass

incorrect xpath

ruby-saml

signature verification

unauthenticated attacker

saml response

arbitrary content

user login

vulnerability

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

AI Score

7.2

Confidence

High

JSON

Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response.
An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML
Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within
the vulnerable system.

Affected configurations

Vulners

Node

rubyruby-samlRange1.12.0–1.12.3

rubyruby-samlRange≤1.17.0

VendorProductVersionCPE
rubyruby-saml*cpe:2.3:a:ruby:ruby-saml:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	ruby-saml	*	cpe:2.3:a:ruby:ruby-saml::::::::

References

github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

AI Score

7.2

Confidence

High

JSON

Related for RUBY:RUBY-SAML-2024-45409