XPath Injection Affecting ruby-saml package, versions < 1.0.0

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-RUBYSAML-20217
published 28 Apr 2015
disclosed 28 Apr 2015
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 28 Apr 2015

CWE-91 Open this link in a new tab

Overview

ruby-saml is a SAML toolkit for Ruby on Rails.

Affected versions are vulnerable to XPath injection on xml_security.rb. The lack of prepared statements allows for possible command injection, leading to arbitrary code execution.

References

http://rubysec.com/advisories/OSVDB-124991
https://github.com/onelogin/ruby-saml/pull/225

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

None
Integrity (I)

Low
Availability (A)

None

XPath Injection Affecting ruby-saml package, versions < 1.0.0

Severity

CVSS assessment made by Snyk's Security Team

Introduced: 28 Apr 2015

Overview

References

CVSS Scores

Snyk