gsd-2017-11428
Vulnerability from gsd
Modified
2018-02-27 00:00
Details
ruby-saml prior to version 1.7.0 is vulnerable to an authentication bypass via incorrect XML canonicalization and DOM traversal. Specifically, there are inconsistencies in handling of comments within XML nodes, resulting in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message. A remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider.
Aliases
Aliases
CVE-2017-11428


To clipboard 

{
  "GSD": {
    "alias": "CVE-2017-11428",
    "description": "OneLogin Ruby-SAML 1.6.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.",
    "id": "GSD-2017-11428"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "ruby-saml",
            "purl": "pkg:gem/ruby-saml"
          }
        }
      ],
      "aliases": [
        "CVE-2017-11428",
        "GHSA-x2fr-v8wf-8wwv"
      ],
      "details": "ruby-saml prior to version 1.7.0 is vulnerable to an authentication bypass via incorrect\nXML canonicalization and DOM traversal. Specifically, there are inconsistencies in\nhandling of comments within XML nodes, resulting in incorrect parsing of the inner text\nof XML nodes such that any inner text after the comment is lost prior to\ncryptographically signing the SAML message. Text after the comment therefore has no\nimpact on the signature on the SAML message.\n\nA remote attacker can modify SAML content for a SAML service provider without\ninvalidating the cryptographic signature, which may allow attackers to bypass\nprimary authentication for the affected SAML service provider.\n",
      "id": "GSD-2017-11428",
      "modified": "2018-02-27T00:00:00.000Z",
      "published": "2018-02-27T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/onelogin/ruby-saml/commit/048a544730930f86e46804387a6b6fad50d8176f"
        },
        {
          "type": "WEB",
          "url": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations"
        },
        {
          "type": "WEB",
          "url": "https://www.kb.cert.org/vuls/id/475445"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 6.3,
          "type": "CVSS_V2"
        },
        {
          "score": 7.7,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Authentication bypass via incorrect XML canonicalization and DOM traversal"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@duo.com",
        "ID": "CVE-2017-11428",
        "STATE": "PUBLIC",
        "TITLE": " Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Ruby-SAML",
                    "version": {
                      "version_data": [
                        {
                          "affected": "\u003c",
                          "version_value": "1.6.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "OneLogin"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Kelby Ludwig of Duo Security"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "OneLogin Ruby-SAML 1.6.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-287: Improper Authentication"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations",
            "refsource": "MISC",
            "url": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations"
          },
          {
            "name": "https://www.kb.cert.org/vuls/id/475445",
            "refsource": "MISC",
            "url": "https://www.kb.cert.org/vuls/id/475445"
          }
        ]
      },
      "source": {
        "discovery": "INTERNAL"
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2017-11428",
      "cvss_v2": 6.3,
      "cvss_v3": 7.7,
      "date": "2018-02-27",
      "description": "ruby-saml prior to version 1.7.0 is vulnerable to an authentication bypass via incorrect\nXML canonicalization and DOM traversal. Specifically, there are inconsistencies in\nhandling of comments within XML nodes, resulting in incorrect parsing of the inner text\nof XML nodes such that any inner text after the comment is lost prior to\ncryptographically signing the SAML message. Text after the comment therefore has no\nimpact on the signature on the SAML message.\n\nA remote attacker can modify SAML content for a SAML service provider without\ninvalidating the cryptographic signature, which may allow attackers to bypass\nprimary authentication for the affected SAML service provider.\n",
      "gem": "ruby-saml",
      "ghsa": "x2fr-v8wf-8wwv",
      "patched_versions": [
        "\u003e= 1.7.0"
      ],
      "related": {
        "url": [
          "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations",
          "https://www.kb.cert.org/vuls/id/475445"
        ]
      },
      "title": "Authentication bypass via incorrect XML canonicalization and DOM traversal",
      "url": "https://github.com/onelogin/ruby-saml/commit/048a544730930f86e46804387a6b6fad50d8176f"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.6.2",
          "affected_versions": "All versions before 1.6.2",
          "credit": "Kelby Ludwig (Duo Security), Garret Wassermann",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-937"
          ],
          "date": "2019-10-09",
          "description": "Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message. A remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider ",
          "fixed_versions": [
            "1.6.2"
          ],
          "identifier": "CVE-2017-11428",
          "identifiers": [
            "CVE-2017-11428"
          ],
          "not_impacted": "1.6.2 and above",
          "package_slug": "gem/ruby-saml",
          "pubdate": "2019-04-17",
          "solution": "Upgrade to 1.6.2 or above",
          "title": "Authentication bypass via incorrect DOM traversal and canonicalization",
          "urls": [
            "https://cwe.mitre.org/data/definitions/287.html",
            "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations",
            "https://github.com/onelogin/ruby-saml/commit/048a544730930f86e46804387a6b6fad50d8176f",
            "https://github.com/onelogin/ruby-saml/releases/tag/v1.6.2",
            "https://shibboleth.net/community/advisories/secadv_20180112.txt",
            "https://www.kb.cert.org/vuls/id/475445"
          ],
          "uuid": "812dec0c-a926-44de-9aa5-f1ad00964bb9"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:onelogin:ruby-saml:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.6.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@duo.com",
          "ID": "CVE-2017-11428"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "OneLogin Ruby-SAML 1.6.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.kb.cert.org/vuls/id/475445",
              "refsource": "MISC",
              "tags": [
                "US Government Resource",
                "Third Party Advisory"
              ],
              "url": "https://www.kb.cert.org/vuls/id/475445"
            },
            {
              "name": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Technical Description",
                "Third Party Advisory"
              ],
              "url": "https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2019-10-09T23:22Z",
      "publishedDate": "2019-04-17T14:29Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.