RubySec

Providing security resources for the Ruby community

OSVDB-124991 (ruby-saml): Ruby-Saml Gem is vulnerable to XPath Injection

ADVISORIES

GEM

ruby-saml

SEVERITY

CVSS v2: 6.7 (Medium)

PATCHED VERSIONS

  • >= 1.0.0

DESCRIPTION

ruby-saml before 1.0.0 is vulnerable to XPath injection on xml_security.rb. The lack of prepared statements allows for possibly command injection, leading to arbitrary code execution