CVE-2017-11430

Published: Apr 17, 2019Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.

Affected (1)

Products: Omniauth: Omniauth Saml

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Omniauth Omniauth Saml	Up to 1.9.0

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (4)

https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations

Source: security@duo.com

ExploitTechnical DescriptionThird Party Advisory

https://www.kb.cert.org/vuls/id/475445

Source: security@duo.com

Third Party AdvisoryUS Government Resource

https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitTechnical DescriptionThird Party Advisory

https://www.kb.cert.org/vuls/id/475445

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

Timeline

No history available yet.