CVE-2017-11430

OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
References
Link Resource
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations Exploit Technical Description Third Party Advisory
https://www.kb.cert.org/vuls/id/475445 Third Party Advisory US Government Resource
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations Exploit Technical Description Third Party Advisory
https://www.kb.cert.org/vuls/id/475445 Third Party Advisory US Government Resource
Configurations

Configuration 1 (hide)

cpe:2.3:a:omniauth:omniauth_saml:*:*:*:*:*:*:*:*

History

21 Nov 2024, 03:07

Type Values Removed Values Added
CVSS v2 : 7.5
v3 : 9.8
v2 : 7.5
v3 : 7.7
References () https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations - Exploit, Technical Description, Third Party Advisory () https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations - Exploit, Technical Description, Third Party Advisory
References () https://www.kb.cert.org/vuls/id/475445 - Third Party Advisory, US Government Resource () https://www.kb.cert.org/vuls/id/475445 - Third Party Advisory, US Government Resource

20 Sep 2024, 16:21

Type Values Removed Values Added
First Time Omniauth omniauth Saml
Omniauth
CPE cpe:2.3:a:omnitauth-saml_project:omnitauth-saml:*:*:*:*:*:*:*:* cpe:2.3:a:omniauth:omniauth_saml:*:*:*:*:*:*:*:*

Information

Published : 2019-04-17 14:29

Updated : 2024-11-21 03:07


NVD link : CVE-2017-11430

Mitre link : CVE-2017-11430

CVE.ORG link : CVE-2017-11430


JSON object : View

Products Affected

omniauth

  • omniauth_saml
CWE
CWE-287

Improper Authentication