Critical security flaw in ruby-saml library
Posted on Thursday, 19 September 2024
The federation has been made aware of a critical security flaw in ruby-saml
-- a Ruby based SAML library used by some participants of the federation.
https://nvd.nist.gov/vuln/detail/CVE-2024-45409
From the security announcement:
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 [sic] and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system.
This vulnerability is fixed in 1.17.0 and 1.12.3.
Affected versions of ruby-saml are any that are up to and including 1.12.2 and between 1.13.6 and 1.16.0.
We're aware that Omniauth's SAML implementation (up to and including version 2.1.0) is also based on this library and is fixed in version 2.2.0.
We recommend that you check whether you're using this library or Omniauth and take appropriate action as soon as possible.
Edited by MattHuckson on 17 December 2024, at 08:42 AM