Skip to content

GHSA SYNC: 1 brand new advisory #811

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Sep 14, 2024
Merged

GHSA SYNC: 1 brand new advisory #811

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
---
gem: omniauth-saml
ghsa: cvp8-5r8g-fhvq
url: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
title: omniauth-saml vulnerable to Improper Verification of Cryptographic Signature
date: 2024-09-11
description: |
ruby-saml, the dependent SAML gem of omniauth-saml has a signature
wrapping vulnerability in <= v1.12.0 and v1.13.0 to v1.16.0 , see
https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2

As a result, omniauth-saml created a
[new release](https://github.com/omniauth/omniauth-saml/releases)
by upgrading ruby-saml to the patched versions v1.17.
cvss_v3: 10.0
patched_versions:
- ">= 2.1.1"
related:
ghsa:
- https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq
- https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
- https://github.com/advisories/GHSA-cvp8-5r8g-fhvq
url:
- https://github.com/omniauth/omniauth-saml/commit/4274e9d57e65f2dcaae4aa3b2accf831494f2ddd
- https://github.com/omniauth/omniauth-saml/commit/6c681fd082ab3daf271821897a40ab3417382e29
Loading