[CVE-2016-5697] signature wrapping attack vulnerability in ruby-saml prior to version 1.3.0

36 views

Skip to first unread message

Alvaro Hoyos

unread,

Jun 24, 2016, 2:35:34 PM6/24/16

to ruby-sec...@googlegroups.com, rubysec-...@googlegroups.com, oss-se...@lists.openwall.com

Overview:
Ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack. Ruby-saml users must update to 1.3.0 version which implements 3 extra validations to mitigate this kind of attack.

Overall CVSS Score 6.1

Fix: Add extra validations to prevent Signature wrapping attacks [1]

[1] https://github.com/onelogin/ruby-saml

alvaro j hoyos | chief information security officer | alvaro...@onelogin.com | +1 415.653.1893 | skype: alvaroonelogin

Reply all

Reply to author

Forward

0 new messages