GHSA-cvp8-5r8g-fhvq – omniauth-saml

Package

Manager: gem
Name: omniauth-saml
Vulnerable Version: >=2.0.0 <2.1.2 || >=0 <1.10.5 || >=2.2.0 <2.2.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

EPSS: N/A pctlN/A

Details

omniauth-saml vulnerable to Improper Verification of Cryptographic Signature ruby-saml, the dependent SAML gem of omniauth-saml has a signature wrapping vulnerability in <= v1.12.0 and v1.13.0 to v1.16.0 , see https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2 As a result, omniauth-saml created a [new release](https://github.com/omniauth/omniauth-saml/releases) by upgrading ruby-saml to the patched versions v1.17.

Metadata

Created: 2024-09-11T21:08:26Z
Modified: 2024-09-19T18:25:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-cvp8-5r8g-fhvq/GHSA-cvp8-5r8g-fhvq.json
CWE IDs: ["CWE-347"]
Alternative ID: N/A
Finding: F163
Auto approve: 1