oss-sec mailing list archives
[CVE-2016-5697] signature wrapping attack vulnerability in ruby-saml prior to version 1.3.0
From: Alvaro Hoyos <alvaro.hoyos () onelogin com>
Date: Fri, 24 Jun 2016 10:14:46 -0700
Overview: Ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack. Ruby-saml users must update to 1.3.0 version which implements 3 extra validations to mitigate this kind of attack. Overall CVSS Score 6.1 Fix: Add extra validations to prevent Signature wrapping attacks [1] [1] https://github.com/onelogin/ruby-saml alvaro j hoyos | chief information security officer | alvaro.hoyos () onelogin com | +1 415.653.1893 | skype: alvaroonelogin
Current thread:
- [CVE-2016-5697] signature wrapping attack vulnerability in ruby-saml prior to version 1.3.0 Alvaro Hoyos (Jun 24)