Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at

Advisory Archive


gem: ruby-saml
date: 2016-06-24
cve: 2016-5697
title: XML signature wrapping attack
description: |
  ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack
  in the specific scenario where there was a signature that referenced at the same time
  2 elements (but past the scheme validator process since 1 of the element was inside
  the encrypted assertion).

  ruby-saml users must update to 1.3.0, which implements 3 extra validations to
  mitigate this kind of attack.
cvss_v2: '5.0'
cvss_v3: '7.5'
- ">= 1.3.0"