OneLogin Ruby-SAML 1.6.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
References
Link | Resource |
---|---|
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations | Exploit Technical Description Third Party Advisory |
https://www.kb.cert.org/vuls/id/475445 | US Government Resource Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: duo
Published: 2019-04-17T13:59:53
Updated: 2019-04-17T13:59:53
Reserved: 2017-07-18T00:00:00
Link: CVE-2017-11428
JSON object: View
NVD Information
Status : Modified
Published: 2019-04-17T14:29:00.323
Modified: 2019-10-09T23:22:05.853
Link: CVE-2017-11428
JSON object: View
Redhat Information
No data.
CWE