ADVISORIES

• OSVDB-124991
• Vendor Advisory

GEM

ruby-saml

SEVERITY

CVSS v2.0: 6.7 (Medium)

PATCHED VERSIONS

• >= 1.0.0

DESCRIPTION

ruby-saml before 1.0.0 is vulnerable to XPath injection on xml_security.rb. The lack of prepared statements allows for possibly command injection, leading to arbitrary code execution.

RELATED

• https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.0.0
• https://github.com/SAML-Toolkits/ruby-saml/pull/225
• https://security.snyk.io/vuln/SNYK-RUBY-RUBYSAML-20217
• https://www.mend.io/vulnerability-database/WS-2015-0036