Updated advisory posts against rubysec/ruby-advisory-db@23ff48f

postmodern · RubySec CI · commit d3b8665810d0 · 2024-09-20T18:49:00.000Z
diff --git a/advisories/_posts/2024-09-11-CVE-2024-45409.md b/advisories/_posts/2024-09-11-CVE-2024-45409.md
@@ -0,0 +1,36 @@
+---
+layout: advisory
+title: 'CVE-2024-45409 (omniauth-saml): omniauth-saml vulnerable to Improper Verification
+  of Cryptographic Signature'
+comments: false
+categories:
+- omniauth-saml
+advisory:
+  gem: omniauth-saml
+  cve: 2024-45409
+  ghsa: cvp8-5r8g-fhvq
+  url: https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq
+  title: omniauth-saml vulnerable to Improper Verification of Cryptographic Signature
+  date: 2024-09-11
+  description: |
+    ruby-saml, the dependent SAML gem of omniauth-saml has a signature
+    wrapping vulnerability in <= v1.12.0 and v1.13.0 to v1.16.0 , see
+    https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
+
+    As a result, omniauth-saml created a
+    [new release](https://github.com/omniauth/omniauth-saml/releases)
+    by upgrading ruby-saml to the patched versions v1.17.
+  cvss_v3: 10.0
+  patched_versions:
+  - ">= 1.10.5, < 2.0.0"
+  - "~> 2.1.2"
+  - ">= 2.2.1"
+  related:
+    ghsa:
+    - https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq
+    - https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2
+    - https://github.com/advisories/GHSA-cvp8-5r8g-fhvq
+    url:
+    - https://github.com/omniauth/omniauth-saml/commit/4274e9d57e65f2dcaae4aa3b2accf831494f2ddd
+    - https://github.com/omniauth/omniauth-saml/commit/6c681fd082ab3daf271821897a40ab3417382e29
+---
