CVE-2024-45409

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-45409
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-45409.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-45409
Aliases
Related
Published
2024-09-10T19:15:22Z
Modified
2024-11-11T10:57:44.532170Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.

References

Affected packages

Debian:11 / ruby-saml

Package

Name
ruby-saml
Purl
pkg:deb/debian/ruby-saml?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.11.0-1+deb11u1

Affected versions

1.*

1.11.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / ruby-saml

Package

Name
ruby-saml
Purl
pkg:deb/debian/ruby-saml?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.13.0-1+deb12u1

Affected versions

1.*

1.13.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / ruby-saml

Package

Name
ruby-saml
Purl
pkg:deb/debian/ruby-saml?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.17.0-1

Affected versions

1.*

1.13.0-1
1.15.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/saml-toolkits/ruby-saml

Affected ranges

Type
GIT
Repo
https://github.com/saml-toolkits/ruby-saml
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events

Affected versions

0.*

0.7.3
0.8.0
0.8.1

1.*

1.3.1
1.4.0
1.4.1
1.4.2
1.4.3
1.5.0

v0.*

v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.6.0
v0.7.1
v0.9
v0.9.1
v0.9.2

v1.*

v1.0.0
v1.1.0
v1.1.1
v1.1.2
v1.10.0
v1.10.1
v1.10.2
v1.11.0
v1.12.0
v1.12.1
v1.12.2
v1.13.0
v1.14.0
v1.15.0
v1.16.0
v1.2.0
v1.3.0
v1.6.0
v1.6.1
v1.6.2
v1.7.0
v1.7.1
v1.7.2
v1.8.0
v1.9.0

v17.*

v17.0.0-ee
v17.0.1-ee
v17.0.1-rc42-ee
v17.0.2-ee
v17.0.3-ee
v17.0.4-ee
v17.0.5-ee
v17.0.6-ee
v17.0.7-ee