PT-2025-49774

Name of the Vulnerable Software and Affected Versions ruby-saml versions up to and including 1.12.4 Description The ruby-saml library, used for SAML authorization on the client side, has an authentication bypass issue. This is due to an incomplete fix related to a previous issue. Differences in h...

Ruby SAML 数据伪造问题漏洞

Ruby SAML is a SAML-Toolkits open source implementation of a SAML authorization client. Ruby SAML 1.12.4 and prior versions suffer from a Data Forgery Issue vulnerability that stems from a flaw in the libxml2 normalization process that could lead to authentication bypass...

OneLogin ruby-saml 数据伪造问题漏洞

Onelogin OneLogin ruby-saml is a Ruby-based SAML Security Assertion Markup Language library for Single Sign-On SSO services from Onelogin, USA. A data forgery issue vulnerability exists in OneLogin ruby-saml version 1.12.4 and earlier, which stems from XML parsing differences and could lead to...

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the libxml2 canonicalization process. An attacker can bypass authentication and replay signatures by crafting XML input that causes canonicalization to yield an empty string, leading ...

Ruby-saml allows a Libxml2 Canonicalization error to bypass Digest/Signature validation

Summary Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an issue at libxml2 canonicalization process used by Nokogiri for document transformation. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not...

GHSA-X4H9-GWV3-R4M4 Ruby-saml allows a Libxml2 Canonicalization error to bypass Digest/Signature validation

Summary Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an issue at libxml2 canonicalization process used by Nokogiri for document transformation. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not...

Ruby-saml has a SAML authentication bypass due to namespace handling (parser differential)

Summary Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker...

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to differences in XML document namespace parsing between REXML and Nokogiri, implemented in xmlsecurity.rb. An attacker can bypass authentication via Signature Wrapping attack. Note:...

GHSA-9V8J-X534-2FX3 Ruby-saml has a SAML authentication bypass due to namespace handling (parser differential)

Summary Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker...

Ruby-saml has a SAML authentication bypass due to namespace handling (parser differential)

Summary Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker...

Ruby-saml allows a Libxml2 Canonicalization error to bypass Digest/Signature validation

Summary Ruby-saml up to and including 1.12.4, there is an authentication bypass vulnerability because of an issue at libxml2 canonicalization process used by Nokogiri for document transformation. That allows an attacker to be able to execute a Signature Wrapping attack. The vulnerability does not...

Security Bulletin: Multiple vulnerabilities in IBM Aspera Shares

Summary Multiple vulnerabilities were addressed in IBM Aspera Shares version 1.11.0. Vulnerability Details CVEID:CVE-2017-17718 DESCRIPTION: The Net::LDAP aka net-ldap gem before 0.16.0 for Ruby has Missing SSL Certificate Validation. CWE:CWE-295: Improper Certificate Validation CVSS Source: IBM...

ROS-20251203-19

Vulnerability in the Ruby programming language library that implements the MQTT protocol Rubygem MQTT is related to the lack of hostname validation. Exploitation of the vulnerability could allow A remote attacker to perform a man-in-the-middle attack...

SUSE SLED15 / SLES15 Security Update : ruby2.5 (SUSE-SU-2025:4264-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:4264-1 advisory. - CVE-2024-35221: Fixed remote DoS via YAML manifest bsc1225905 - CVE-2024-47220: Fixed HTTP request smuggling...

Malicious code in pg_result_init (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 007d07edb120233aab0539e4646e8b634d2a95e2df9e6179bb9b2b6eb90f5a97 The OpenSSF Package Analysis project identified 'pgresultinit' @ 2.0.9 rubygems as malicious. It is considered malicious because: - The package...

MAL-2025-191667 Malicious code in pg_result_init (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 007d07edb120233aab0539e4646e8b634d2a95e2df9e6179bb9b2b6eb90f5a97 The OpenSSF Package Analysis project identified 'pgresultinit' @ 2.0.9 rubygems as malicious. It is considered malicious because: - The package...

EUVD-2025-200264

Malicious code in pgresultinit RubyGems...

metasploit-framework

This is the Metasploit Framework repository, a widely used penetration testing tool. It is an offensive tool for penetration testing and vulnerability assessment. The repository contains various modules and tools for exploiting vulnerabilities and conducting penetration testing. The primary...

net-imap rubygem vulnerable to possible DoS by memory exhaustion

...

Mageia: Security Advisory (MGASA-2025-0311)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...