Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1yMzY0LTJwajQtcGY3Zs4AAzf1

Critical EPSS: 0.00321% (0.54665 Percentile) EPSS:
Permalink JSON

ruby-saml vulnerable to XPath injection

Affected Packages Affected Versions Fixed Versions
rubygems:ruby-saml
PURL: pkg:gem/ruby-saml
< 1.0.0 1.0.0
20 Dependent packages
2,297 Dependent repositories
115,871,172 Downloads total

Affected Version Ranges

All affected versions

0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.8.10, 0.8.11, 0.8.12, 0.8.13, 0.8.14, 0.8.15, 0.8.16, 0.8.17, 0.8.18, 0.9.1, 0.9.2, 0.9.3, 0.9.4

All unaffected versions

1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.11.0, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.18.0, 1.18.1

xml_security.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used.

References:

Identifiers

GHSA-r364-2pj4-pf7f

CVE-2015-20108

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.00321

EPSS Percentile: 0.54665

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/SAML-Toolkits/ruby-saml

Date and time

Published

over 2 years ago

Updated

8 months ago

API

JSON