Source: ruby-saml Version: 1.17.0-1 Severity: grave Tags: upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org
Hi, The following vulnerabilities were published for ruby-saml. CVE-2025-25291[0]: | ruby-saml provides security assertion markup language (SAML) single | sign-on (SSO) for Ruby. An authentication bypass vulnerability was | found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a | parser differential. ReXML and Nokogiri parse XML differently; the | parsers can generate entirely different document structures from the | same XML input. That allows an attacker to be able to execute a | Signature Wrapping attack. This issue may lead to authentication | bypass. Versions 1.12.4 and 1.18.0 fix the issue. CVE-2025-25292[1]: | ruby-saml provides security assertion markup language (SAML) single | sign-on (SSO) for Ruby. An authentication bypass vulnerability was | found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a | parser differential. ReXML and Nokogiri parse XML differently, the | parsers can generate entirely different document structures from the | same XML input. That allows an attacker to be able to execute a | Signature Wrapping attack. This issue may lead to authentication | bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue. CVE-2025-25293[2]: | ruby-saml provides security assertion markup language (SAML) single | sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby- | saml is susceptible to remote Denial of Service (DoS) with | compressed SAML responses. ruby-saml uses zlib to decompress SAML | responses in case they're compressed. It is possible to bypass the | message size check with a compressed assertion since the message | size is checked before inflation and not after. This issue may lead | to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix | the issue. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-25291 https://www.cve.org/CVERecord?id=CVE-2025-25291 [1] https://security-tracker.debian.org/tracker/CVE-2025-25292 https://www.cve.org/CVERecord?id=CVE-2025-25292 [2] https://security-tracker.debian.org/tracker/CVE-2025-25293 https://www.cve.org/CVERecord?id=CVE-2025-25293 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
