Fluid Attacks Database

Description

Ruby-SAML Improper Authentication vulnerability OneLogin Ruby-SAML 1.6.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rubygems	ruby-saml	>=0 <1.7.0	1.7.0
debian 12	ruby-saml	>=0 <1.7.2-1	1.7.2-1
debian 11	ruby-saml	>=0 <1.7.2-1	1.7.2-1

Aliases

1. CVE-2017-114282. NVD-2017-114283. OSV-2017-114284. OSV-DEBIAN-2017-114285. GCVE-2017-114286. SECURITY-TRACKER-CVE-2017-11428

References

1. https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations2. https://www.kb.cert.org/vuls/id/475445