CVE-2024-45409: The Ruby SAML library vulnerable to a SAML authentication bypass via Incorrect XPath selector

Published Sep 10, 2024
·
Updated

Last updated 23 September 2024

Other sources

Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system.

This vulnerability was reported by ahacker1 of SecureSAML (ahacker1@securesaml.com)

GitHub

SAML-Toolkits Ruby SAML could allow a remote attacker to bypass security restrictions, caused by improper validation of signature of the SAML Response. By sending a specially crafted SAML Response/Assertion with arbitrary contents, an attacker could exploit this vulnerability to log in as arbitrary user on the system.

IBM

The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.

MITRE

Updates dependencies omniauth-saml to version 2.2.1 and ruby-saml to 1.17.0 to mitigate CVE-2024-45409. This security vulnerability applies only to instances which have configured SAML based authentication.

GitLab

Affected Software

14 affected componentsFixes available
rubygems/ruby-saml>=1.13.0<1.17.0
1.17.0
rubygems/ruby-saml<1.12.3
1.12.3
onelogin Ruby-SAML<1.12.3
onelogin Ruby-SAML>=1.13.0<1.17.0
OmniAuth Omniauth Saml Ruby<=1.10.3
OmniAuth Omniauth Saml Ruby=2.0.0
OmniAuth Omniauth Saml Ruby=2.1.0
GitLab GitLab<16.11.10
GitLab GitLab>=17.0.0<17.0.8
GitLab GitLab>=17.1.0<17.1.8
GitLab GitLab>=17.2.0<17.2.7
GitLab GitLab>=17.3.0<17.3.3
debian/ruby-saml<=1.11.0-1
1.11.0-1+deb11u11.13.0-1+deb12u11.17.0-1
IBM Aspera Shares<=1.9.9 - 1.10.0 PL7

Remediation

Patch Available

https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeae

Patch Available

https://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae7

Event History

Sep 10, 2024
CVE Published
via MITRE·06:50 PM
Data Sourced
via MITRE·06:50 PM
DescriptionSeverityWeakness
Advisory Published
via GitHub·07:42 PM
Sep 18, 2024
News Published
via BleepingComputer·06:37 PM
News Published
via BleepingComputer·06:37 PM
Feb 28, 2025
Data Sourced
via Ubuntu·06:06 PM
RemedyDescriptionSeverityAffected Software
Apr 22, 2026
Data Sourced
via GitLab·08:55 AM
Description

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-45409?

CVE-2024-45409 has been assigned a high severity rating due to its potential for allowing unauthenticated attackers to forge SAML Responses.

2

How do I fix CVE-2024-45409?

To fix CVE-2024-45409, upgrade ruby-saml to version 1.17.0 or 1.12.3 or higher.

3

Which versions of Ruby-SAML are affected by CVE-2024-45409?

Versions of Ruby-SAML from 1.0.0 to 1.16.0 are affected by CVE-2024-45409.

4

Can CVE-2024-45409 be exploited remotely?

Yes, CVE-2024-45409 can be exploited remotely by attackers who have access to any signed SAML document.

5

Is authentication required to exploit CVE-2024-45409?

No, CVE-2024-45409 can be exploited by unauthenticated attackers.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203