==================================================================== CERT-Renater Note d'Information No. 2024/VULN369 _____________________________________________________________________ DATE : 13/09/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running omniauth-saml versions prior to 2.2.0, ruby-saml versions prior to 1.17.0, 1.12.3. ===================================================================== https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2 _____________________________________________________________________ SAML authentication bypass via Incorrect XPath selector Critical pitbulk published GHSA-jw9c-mfg7-9rx2 Sep 10, 2024 Package omniauth-saml (RubyGems) Affected versions <=2.1.0 Patched versions 2.2.0 ruby-saml (RubyGems) Affected versions <=1.12.2 || >=1.13.0 <= 1.16.0 Patched versions 1.17.0, 1.12.3 Description Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability was reported by ahacker1 of SecureSAML (ahacker1@securesaml.com) Severity Critical 10.0/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Changed Confidentiality High Integrity High Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVE ID CVE-2024-45409 Weaknesses CWE-347 Credits @ahacker1-securesaml ahacker1-securesaml Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================