-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
CVE-2024-45409.yml
28 lines (27 loc) · 1.16 KB
/
CVE-2024-45409.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
---
gem: omniauth-saml
cve: 2024-45409
ghsa: cvp8-5r8g-fhvq
url: https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq
title: omniauth-saml vulnerable to Improper Verification of Cryptographic Signature
date: 2024-09-11
description: |
ruby-saml, the dependent SAML gem of omniauth-saml has a signature
wrapping vulnerability in <= v1.12.0 and v1.13.0 to v1.16.0 , see
https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
As a result, omniauth-saml created a
[new release](https://github.com/omniauth/omniauth-saml/releases)
by upgrading ruby-saml to the patched versions v1.17.
cvss_v3: 10.0
patched_versions:
- ">= 1.10.5, < 2.0.0"
- "~> 2.1.2"
- ">= 2.2.1"
related:
ghsa:
- https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq
- https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
- https://github.com/advisories/GHSA-cvp8-5r8g-fhvq
url:
- https://github.com/omniauth/omniauth-saml/commit/4274e9d57e65f2dcaae4aa3b2accf831494f2ddd
- https://github.com/omniauth/omniauth-saml/commit/6c681fd082ab3daf271821897a40ab3417382e29