Arbitrary Code Injection Affecting ruby-saml package, versions < 0.8.2

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-RUBYSAML-20205
published 2 Feb 2015
disclosed 2 Feb 2015
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 2 Feb 2015

CWE-94 Open this link in a new tab

Overview

ruby-saml is a SAML toolkit for Ruby on Rails.

Affected versions contain a flaw that is triggered as the URI value of a SAML response is not properly sanitized through a prepared statement. This may allow a remote attacker to execute arbitrary shell commands on the host machine.

References

http://rubysec.com/advisories/OSVDB-117903

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

Low
Integrity (I)

Low
Availability (A)

Low

Arbitrary Code Injection Affecting ruby-saml package, versions < 0.8.2

Severity

CVSS assessment made by Snyk's Security Team

Introduced: 2 Feb 2015

Overview

References

CVSS Scores

Snyk