Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at

Advisory Archive


gem: omniauth-saml
date: 2018-02-27
cve: 2017-11430
title: omniauth-saml authentication bypass via incorrect XML canonicalization and
  DOM traversal
description: |
  OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the
  results of XML DOM traversal and canonicalization APIs in such a way that an attacker
  may be able to manipulate the SAML data without invalidating the cryptographic signature,
  allowing the attack to potentially bypass authentication to SAML service providers.
cvss_v2: '7.5'
cvss_v3: '9.8'
- ">= 1.10.0"