ADVISORIES
- CVE-2015-20108 (NVD)
- GHSA-r364-2pj4-pf7f
- OSVDB-124991
- Vendor Advisory
GEM
SEVERITY
CVSS v3.x: 9.8 (Critical)
CVSS v2.0: 6.7 (Medium)
PATCHED VERSIONS
- >= 1.0.0
DESCRIPTION
xml_security.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used.
The lack of prepared statements allows for possibly command injection, leading to arbitrary code execution.
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2015-20108
- https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.0.0
- https://github.com/SAML-Toolkits/ruby-saml/pull/225
- https://github.com/SAML-Toolkits/ruby-saml/commit/9853651b96b99653ea8627d757d46bfe62ab6448
- https://security.snyk.io/vuln/SNYK-RUBY-RUBYSAML-20217
- https://www.mend.io/vulnerability-database/WS-2015-0036
- https://github.com/advisories/GHSA-r364-2pj4-pf7f