CVE-2024-45409

The Ruby SAML library vulnerable to a SAML authentication bypass via Incorrect XPath selector

CVSS 10 CRITICALEPSS 10.7%CWE-347

The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Affected products

SAML-Toolkits · ruby-saml

public PoCs found — 1

githubgithub.com/synacktiv/CVE-2024-45409★ 83

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae https://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae7 https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2 https://lists.debian.org/debian-lts-announce/2024/11/msg00006.html https://news.ycombinator.com/item?id=41586031 https://security.netapp.com/advisory/ntap-20240926-0008/https://ssoready.com/blog/engineering/ruby-saml-pwned-by-xml-signature-wrapping-attacks/