Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Ruby\-Saml
(Onelogin)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 4 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-09-10 | CVE-2024-45409 | The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3. | Gitlab, Omniauth_saml, Ruby\-Saml | 9.8 | ||
| 2023-05-27 | CVE-2015-20108 | xml_security.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used. | Ruby\-Saml | 9.8 | ||
| 2019-04-17 | CVE-2017-11428 | OneLogin Ruby-SAML 1.6.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers. | Ruby\-Saml | 9.8 | ||
| 2017-01-23 | CVE-2016-5697 | Ruby-saml before 1.3.0 allows attackers to perform XML signature wrapping attacks via unspecified vectors. | Ruby\-Saml | 7.5 |