VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-ezvv-kjum-jkdd

Essentials
Severities (30)
References (13)
Severity details (25)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-ezvv-kjum-jkdd
Aliases	CVE-2015-20108 GHSA-r364-2pj4-pf7f OSV-124991
Summary	xml_security.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used.
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.01183	https://api.first.org/data/v1/epss?cve=CVE-2015-20108
epss	0.01183	https://api.first.org/data/v1/epss?cve=CVE-2015-20108
epss	0.01183	https://api.first.org/data/v1/epss?cve=CVE-2015-20108
epss	0.01183	https://api.first.org/data/v1/epss?cve=CVE-2015-20108
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-r364-2pj4-pf7f
cvssv3.1	9.8	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/CVE-2015-20108.yml
generic_textual	CRITICAL	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/CVE-2015-20108.yml
cvssv3.1	9.8	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/OSVDB-124991.yml
generic_textual	CRITICAL	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/OSVDB-124991.yml
ssvc	Track	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/OSVDB-124991.yml
cvssv3.1	9.8	https://github.com/SAML-Toolkits/ruby-saml
generic_textual	CRITICAL	https://github.com/SAML-Toolkits/ruby-saml
cvssv3.1	9.8	https://github.com/SAML-Toolkits/ruby-saml/commit/9853651b96b99653ea8627d757d46bfe62ab6448
generic_textual	CRITICAL	https://github.com/SAML-Toolkits/ruby-saml/commit/9853651b96b99653ea8627d757d46bfe62ab6448
ssvc	Track	https://github.com/SAML-Toolkits/ruby-saml/commit/9853651b96b99653ea8627d757d46bfe62ab6448
cvssv3.1	9.8	https://github.com/SAML-Toolkits/ruby-saml/compare/v0.9.2...v1.0.0
generic_textual	CRITICAL	https://github.com/SAML-Toolkits/ruby-saml/compare/v0.9.2...v1.0.0
ssvc	Track	https://github.com/SAML-Toolkits/ruby-saml/compare/v0.9.2...v1.0.0
cvssv3.1	9.8	https://github.com/SAML-Toolkits/ruby-saml/pull/225
generic_textual	CRITICAL	https://github.com/SAML-Toolkits/ruby-saml/pull/225
ssvc	Track	https://github.com/SAML-Toolkits/ruby-saml/pull/225
cvssv3.1	9.8	https://nvd.nist.gov/vuln/detail/CVE-2015-20108
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2015-20108
cvssv3.1	9.8	https://security.netapp.com/advisory/ntap-20230703-0003
generic_textual	CRITICAL	https://security.netapp.com/advisory/ntap-20230703-0003
cvssv3.1	9.8	https://security.netapp.com/advisory/ntap-20230703-0003/
ssvc	Track	https://security.netapp.com/advisory/ntap-20230703-0003/
cvssv3	9.8	https://security.snyk.io/vuln/SNYK-RUBY-RUBYSAML-20217
cvssv3.1	9.8	https://security.snyk.io/vuln/SNYK-RUBY-RUBYSAML-20217
generic_textual	CRITICAL	https://security.snyk.io/vuln/SNYK-RUBY-RUBYSAML-20217

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2015-20108
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-20108
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/CVE-2015-20108.yml
		https://github.com/SAML-Toolkits/ruby-saml
		https://nvd.nist.gov/vuln/detail/CVE-2015-20108
		https://security.netapp.com/advisory/ntap-20230703-0003
		https://security.snyk.io/vuln/SNYK-RUBY-RUBYSAML-20217
225		https://github.com/SAML-Toolkits/ruby-saml/pull/225
9853651b96b99653ea8627d757d46bfe62ab6448		https://github.com/SAML-Toolkits/ruby-saml/commit/9853651b96b99653ea8627d757d46bfe62ab6448
GHSA-r364-2pj4-pf7f		https://github.com/advisories/GHSA-r364-2pj4-pf7f
ntap-20230703-0003		https://security.netapp.com/advisory/ntap-20230703-0003/
OSVDB-124991.yml		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/OSVDB-124991.yml
v0.9.2...v1.0.0		https://github.com/SAML-Toolkits/ruby-saml/compare/v0.9.2...v1.0.0

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/CVE-2015-20108.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/OSVDB-124991.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-14T18:38:57Z/ Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/OSVDB-124991.yml

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/SAML-Toolkits/ruby-saml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/SAML-Toolkits/ruby-saml/commit/9853651b96b99653ea8627d757d46bfe62ab6448

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-14T18:38:57Z/ Found at https://github.com/SAML-Toolkits/ruby-saml/commit/9853651b96b99653ea8627d757d46bfe62ab6448

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/SAML-Toolkits/ruby-saml/compare/v0.9.2...v1.0.0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-14T18:38:57Z/ Found at https://github.com/SAML-Toolkits/ruby-saml/compare/v0.9.2...v1.0.0

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/SAML-Toolkits/ruby-saml/pull/225

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-14T18:38:57Z/ Found at https://github.com/SAML-Toolkits/ruby-saml/pull/225

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2015-20108

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.netapp.com/advisory/ntap-20230703-0003

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.netapp.com/advisory/ntap-20230703-0003/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-14T18:38:57Z/ Found at https://security.netapp.com/advisory/ntap-20230703-0003/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.snyk.io/vuln/SNYK-RUBY-RUBYSAML-20217

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.79185
EPSS Score	0.01183
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T17:33:29.676228+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2015/20xxx/CVE-2015-20108.json	38.6.0