Ruby-SAML Improper Authentication vulnerability

GHSA-x2fr-v8wf-8wwv · CVE-2017-11428

Published Jul 5, 2019 · Modified Nov 8, 2023

Description

OneLogin Ruby-SAML 1.6.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-11428
WEB https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
WEB https://www.kb.cert.org/vuls/id/475445

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes