Omniauth SAML 1.4.0 for Ruby

CPE Details

Omniauth SAML 1.4.0 for Ruby
omniauth
omniauth_saml
1.4.0
2024-09-20
14h21 +00:00
2024-09-20
14h21 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:omniauth:omniauth_saml:1.4.0:*:*:*:*:ruby:*:*

Informations

Vendor

omniauth

Product

omniauth_saml

Version

1.4.0

Target Software

ruby

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2024-45409 2024-09-10 18h50 +00:00 The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.
10
Critical
CVE-2017-11430 2019-04-17 12h00 +00:00 OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
9.8
Critical