Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: ruby-saml
date: 2016-06-24
url: https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995
cve: 2016-5697
title: XML signature wrapping attack
description: |
  ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack
  in the specific scenario where there was a signature that referenced at the same time
  2 elements (but past the scheme validator process since 1 of the element was inside
  the encrypted assertion).

  ruby-saml users must update to 1.3.0, which implements 3 extra validations to
  mitigate this kind of attack.
cvss_v3: '6.1'
patched_versions:
- ">= 1.3.0"