vicvega
commented
4 years ago It is not related to omniauth, but omniauth-saml See https://github.com/omniauth/omniauth-saml/issues/156
Closed mend-bolt-for-github[bot] closed 4 years ago
vicvega
commented
4 years ago It is not related to omniauth, but omniauth-saml See https://github.com/omniauth/omniauth-saml/issues/156
CVE-2017-11430 - High Severity Vulnerability
A generalized Rack framework for multiple-provider authentication.
Library home page: https://rubygems.org/gems/omniauth-1.9.0.gem
Path to dependency file: /chaltron/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/omniauth-1.9.0.gem
Dependency Hierarchy: - gitlab_omniauth-ldap-2.1.1.gem (Root Library) - :x: **omniauth-1.9.0.gem** (Vulnerable Library)
Found in HEAD commit: d21028cd02d14abca6761f653c04fc95bf92973c
OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
Publish Date: 2019-04-17
URL: CVE-2017-11430
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://www.kb.cert.org/vuls/id/475445/
Release Date: 2019-04-17
Fix Resolution: v1.10.0
Step up your Open Source Security Game with WhiteSource here