Search for packages
| purl | pkg:gem/omniauth-saml@1.10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2ded-zkye-buet
Aliases: GHSA-hw46-3hmr-x9xv |
omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack issue ### Summary There are 2 new Critical Signature Wrapping Vulnerabilities (CVE-2025-25292, CVE-2025-25291) and a potential DDOS Moderated Vulneratiblity (CVE-2025-25293) affecting ruby-saml, a dependency of omniauth-saml. The fix will be applied to ruby-saml and released 12 March 2025, under version 1.18.0. Please [upgrade](https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16) the ruby-saml requirement to v1.18.0. ### Impact Signature Wrapping Vulnerabilities allows an attacker to impersonate a user. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-w1rp-n9ej-ruhv
Aliases: CVE-2024-45409 GHSA-cvp8-5r8g-fhvq GHSA-jw9c-mfg7-9rx2 |
SAML authentication bypass via Incorrect XPath selector Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-64xw-zwt4-rydy | Improper Authentication OmniAuth OmnitAuth-SAML may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing an attacker to potentially bypass authentication to SAML service providers. |
CVE-2017-11430
GHSA-94hm-8q65-rmxm |