Improper Verification of Cryptographic Signature in omniauth-saml
Package
Affected versions
<= 2.1.0
<= 2.1.0
<= 1.10.3
Patched versions
2.2.1
2.1.2
1.10.5
Description
Credits
-
ahacker1-securesaml Reporter
-
suprnova32 Remediation reviewer
-
rajiv Remediation reviewer
-
bufferoverflow Remediation developer
ruby-saml, the dependent SAML gem of omniauth-saml has a signature wrapping vulnerability in <= v1.12.0 and v1.13.0 to v1.16.0 , see GHSA-jw9c-mfg7-9rx2
As a result, omniauth-saml created a new release by upgrading ruby-saml to the patched versions v1.17.