CVE-2017-11428
Ruby-SAML Improper Authentication vulnerability
7.7
HIGH
CVSS 3.1
EPSS 0.37%
Description
OneLogin Ruby-SAML 1.6.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
How to fix CVE-2017-11428
To remediate CVE-2017-11428, upgrade the affected package to a fixed version below.
- —upgrade to 1.7.2-1 or later
- —upgrade to 1.7.0 or later
Is CVE-2017-11428 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.7.2-1
- from 0, < 1.7.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.7 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |