Critical security flaw in ruby-saml library

Posted on Thursday, 19 September 2024

The federation has been made aware of a critical security flaw in ruby-saml -- a Ruby based SAML library used by some participants of the federation.

https://nvd.nist.gov/vuln/detail/CVE-2024-45409

From the security announcement:

The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 [sic] and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system.
This vulnerability is fixed in 1.17.0 and 1.12.3.

Affected versions of ruby-saml are any that are up to and including 1.12.2 and between 1.13.6 and 1.16.0.

We're aware that Omniauth's SAML implementation (up to and including version 2.1.0) is also based on this library and is fixed in version 2.2.0.

We recommend that you check whether you're using this library or Omniauth and take appropriate action as soon as possible.

Edited by MattHuckson on 17 December 2024, at 08:42 AM