GHSA SYNC: 1 brand new and 1 modified advisory

jasnow · jasnow · commit 9be0839b9be0 · 2024-09-21T06:17:07.000-04:00
diff --git a/gems/google-protobuf/CVE-2024-7254.yml b/gems/google-protobuf/CVE-2024-7254.yml
@@ -44,6 +44,7 @@ description: |+
   * protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)
   * com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)
 
+cvss_v3: 7.5
 cvss_v4: 8.7
 patched_versions:
   - "~> 3.25.5"
diff --git a/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml b/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml
@@ -0,0 +1,27 @@
+---
+gem: omniauth-saml
+ghsa: cvp8-5r8g-fhvq
+url: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
+title: omniauth-saml vulnerable to Improper Verification of Cryptographic Signature
+date: 2024-09-11
+description: |
+  ruby-saml, the dependent SAML gem of omniauth-saml has a signature
+  wrapping vulnerability in <= v1.12.0 and v1.13.0 to v1.16.0 , see
+  https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
+
+  As a result, omniauth-saml created a
+  [new release](https://github.com/omniauth/omniauth-saml/releases)
+  by upgrading ruby-saml to the patched versions v1.17.
+cvss_v3: 10.0
+patched_versions:
+  - "~> 1.10.5"
+  - "~> 2.1.2"
+  - ">= 2.2.1"
+related:
+  url:
+    - https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
+    - https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq
+    - https://github.com/omniauth/omniauth-saml/commit/4274e9d57e65f2dcaae4aa3b2accf831494f2ddd
+    - https://github.com/omniauth/omniauth-saml/commit/6c681fd082ab3daf271821897a40ab3417382e29
+    - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml
+    - https://github.com/advisories/GHSA-cvp8-5r8g-fhvq
