Headline
Debian Security Advisory 5774-1
Debian Linux Security Advisory 5774-1 - It was discovered that ruby-saml, a SAML library implementing the client side of a SAML authorization, does not properly verify the signature of the SAML Response, which could result in bypass of authentication in an application using the ruby-saml library.
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5774-1 [email protected]://www.debian.org/security/ Salvatore BonaccorsoSeptember 20, 2024 https://www.debian.org/security/faq- -------------------------------------------------------------------------Package : ruby-samlCVE ID : CVE-2024-45409Debian Bug : 1081560It was discovered that ruby-saml, a SAML library implementing the clientside of a SAML authorization, does not properly verify the signature ofthe SAML Response, which could result in bypass of authentication in anapplication using the ruby-saml library.For the stable distribution (bookworm), this problem has been fixed inversion 1.13.0-1+deb12u1.We recommend that you upgrade your ruby-saml packages.For the detailed security status of ruby-saml please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/ruby-samlFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: [email protected] PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmbtwvxfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0T5Rw//chUPp0lZSQP5tWnyblbMyBbmVbqSfl1genngyWPv0aKts/ugJ1GBOw8in26OOvcn+clgSFa3LQRw3FPkRxSuKtnLs2xHc++tcG46YdpFT1JEc26KpEuBu6d6nCaMKfoveWSoNvhT3TGo3CMM/SKvxsc2KQgr3x9cJWr892m54MSqB3PUA0jYlCPu8s5EOyygkTf4T0Ogjjcz+IUWwEmuzqyazsSu8GyLx1DVyKyomMVrjNq3b9DhTR5WxK+X6miVVyldfccfG4khFAR9RvpIVltBpQBnjaCmWGn+ryKu23vN5eZoA2Cb+qToEVFd/2HwbXaLowVDyChbtuKhaR+M3pGgCRW2AYHFILZxYWM0+hgMx4NOgIANywm5xsK+hYEPJdWyI5sYqq/OUINKZOcw+m/xGf7hZTcctuPp3w4lNxGxINZOnl11Bv01tQjK1PtsIuVDWX3bk6hk7h4Y5khedyDhceAk/ENbZs9r79ejoGYRHiMhtUpnQep33zXSZdsD051v1VIWq6Wrb2HFu5EABNRJ6EdzfjilXperDnwTYvgjktAwwmvWDhyPv0Ii5d+81HntH6koeT7YCWAJp6EFMCf+8PmkZPeC60hxZ6lGscFMJJp6iqkXdw7fKSVV4tsEAD73sCgGs90voChnvxM7EFdVA3z4VfVnV9nm4GhF5O4=TVF9-----END PGP SIGNATURE-----Related news
The tack highlights bad actors' interest in trusted development and collaboration platforms — and their users.
Company urges organizations using self-hosting GitLab instances to apply updates for CVE-2024-45409 as soon as possible.
GitLab has released patches to address a critical flaw impacting Community Edition (CE) and Enterprise Edition (EE) that could result in an authentication bypass. The vulnerability is rooted in the ruby-saml library (CVE-2024-45409, CVSS score: 10.0), which could allow an attacker to log in as an arbitrary user within the vulnerable system. It was addressed by the maintainers last week. The
Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability was reported by ahacker1 of SecureSAML ([email protected])