RubySec

Providing security resources for the Ruby community

CVE-2017-11428 (ruby-saml): Authentication bypass via incorrect XML canonicalization and DOM traversal

ADVISORIES

GEM

ruby-saml

SEVERITY

CVSS v3: 7.7 (High)

CVSS v2: 6.3 (Medium)

PATCHED VERSIONS

  • >= 1.7.0

DESCRIPTION

ruby-saml prior to version 1.7.0 is vulnerable to an authentication bypass via incorrect XML canonicalization and DOM traversal. Specifically, there are inconsistencies in handling of comments within XML nodes, resulting in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message.

A remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider.