Movatterモバイル変換

[0]ホーム
URL:

Homepage

Improper Verification of Cryptographic Signature Affectingruby-saml package, versions<1.12.4>=1.13.0, <1.18.0

Severity

 Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team.Learn more

Threat Intelligence

Exploit Maturity

Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.

Proof of Concept
EPSS

The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSSdocumentation for more details.

0.04% (16th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUBY-RUBYSAML-9402845
  • published13 Mar 2025
  • disclosed12 Mar 2025
  • creditPeter Stöckli

Introduced: 12 Mar 2025

NewCVE-2025-25291  (opens in a new tab)
Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
CWE-347  (opens in a new tab)
Common Weakness Enumeration (CWE) is a category system for software weaknesses
CWE-436  (opens in a new tab)
Common Weakness Enumeration (CWE) is a category system for software weaknesses

How to fix?

Upgraderuby-saml to version 1.12.4, 1.18.0 or higher.

Overview

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to differences in XML document DOCTYPE parsing between REXML and Nokogiri, implemented inxml_security.rb. An attacker can bypass authentication via Signature Wrapping attack.

CVSS Base Scores

version 4.0
version 3.1

Snyk

Recommended
9.3 critical
  • Attack Vector (AV)

    The attack can be performed over the network.

    Network
  • Attack Complexity (AC)

    The attack does not require special conditions.

    Low
  • Attack Requirements (AT)

    No special requirements for the attack.

    None
  • Privileges Required (PR)

    No privileges are required.

    None
  • User Interaction (UI)

    No user interaction is required.

    None
  • Confidentiality (VC)

    No impact on confidentiality.

    None
  • Integrity (VI)

    Significant impact on integrity.

    High
  • Availability (VA)

    No impact on availability.

    None
  • Confidentiality (SC)

    Significant impact on confidentiality.

    High
  • Integrity (SI)

    Significant impact on integrity.

    High
  • Availability (SA)

    No impact on availability.

    None
               
[8]ページ先頭
©2009-2025 Movatter.jp