CVE-2024-45409

The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae	Patch
https://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae7	Patch
https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2	Vendor Advisory
https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq	Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/11/msg00006.html
https://news.ycombinator.com/item?id=41586031
https://security.netapp.com/advisory/ntap-20240926-0008/
https://ssoready.com/blog/engineering/ruby-saml-pwned-by-xml-signature-wrapping-attacks/

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:onelogin:ruby-saml::::::::
	cpe:2.3:a:onelogin:ruby-saml::::::::

Configuration 2 (hide)

OR	cpe:2.3:a:omniauth:omniauth_saml::::::ruby::*
	cpe:2.3:a:omniauth:omniauth_saml:2.0.0:::::ruby::
	cpe:2.3:a:omniauth:omniauth_saml:2.1.0:::::ruby::

Configuration 3 (hide)

OR	cpe:2.3:a:gitlab:gitlab::::::::
	cpe:2.3:a:gitlab:gitlab::::::::
	cpe:2.3:a:gitlab:gitlab::::::::
	cpe:2.3:a:gitlab:gitlab::::::::
	cpe:2.3:a:gitlab:gitlab::::::::

History

No history.

Information

Published : 2024-09-10 19:15

Updated : 2024-11-21 09:37

NVD link : CVE-2024-45409

Mitre link : CVE-2024-45409

CVE.ORG link : CVE-2024-45409

JSON object : View

Products Affected

omniauth

omniauth_saml

onelogin

ruby-saml

gitlab

gitlab

CWE

CWE-347

Improper Verification of Cryptographic Signature

{"id": "CVE-2024-45409", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-09-10T19:15:22.030", "references": [{"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae7", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00006.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://news.ycombinator.com/item?id=41586031", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20240926-0008/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://ssoready.com/blog/engineering/ruby-saml-pwned-by-xml-signature-wrapping-attacks/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3."}, {"lang": "es", "value": "La librer\u00eda Ruby SAML sirve para implementar el lado del cliente de una autorizaci\u00f3n SAML. Ruby-SAML en <= 12.2 y 1.13.0 <= 1.16.0 no verifica correctamente la firma de la respuesta SAML. Un atacante no autenticado con acceso a cualquier documento SAML firmado (por el IdP) puede falsificar una respuesta/afirmaci\u00f3n SAML con contenido arbitrario. Esto le permitir\u00eda al atacante iniciar sesi\u00f3n como un usuario arbitrario dentro del sistema vulnerable. Esta vulnerabilidad se solucion\u00f3 en 1.17.0 y 1.12.3."}], "lastModified": "2024-11-21T09:37:44.377", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:onelogin:ruby-saml:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DF41BEEE-FC5B-4728-B9BE-0B58C04F547E", "versionEndExcluding": "1.12.3"}, {"criteria": "cpe:2.3:a:onelogin:ruby-saml:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ADBA67BE-BC31-48C0-A36F-9431814178C0", "versionEndExcluding": "1.17.0", "versionStartIncluding": "1.13.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:omniauth:omniauth_saml:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "6D978907-97A8-4EF4-BF81-FE8702C24745", "versionEndIncluding": "1.10.3"}, {"criteria": "cpe:2.3:a:omniauth:omniauth_saml:2.0.0:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "527AEDE3-F8EB-4C38-AF51-3B679AC4E336"}, {"criteria": "cpe:2.3:a:omniauth:omniauth_saml:2.1.0:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "3F307538-4D4D-4DD1-A9A0-F4D06E20163E"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7000556E-4EBB-4B99-84B1-A2EEA709311C", "versionEndExcluding": "16.11.10"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3B47FDB0-B642-4E50-B0B6-1D71545FE917", "versionEndExcluding": "17.0.8", "versionStartIncluding": "17.0.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86B327A7-22C7-488F-ABA6-3AC90EF07D04", "versionEndExcluding": "17.1.8", "versionStartIncluding": "17.1.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E831CA83-DDA9-4F47-BCF8-2CBB7E74C9DC", "versionEndExcluding": "17.2.7", "versionStartIncluding": "17.2.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "60003658-012F-4DB8-9D8F-8E48C14CA0C4", "versionEndExcluding": "17.3.3", "versionStartIncluding": "17.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}