-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe GitHub commit diff shows a critical change in lib/xml_security.rb where an XPath query was modified from string interpolation ('//[@ID='#{uri[1..-1]}']') to parameterized syntax ('//[@ID=$uri]'). This directly corresponds to the CWE-77 (Command Injection) vulnerability described. The vulnerable code path resides in the validate_signature method, which processes SAML document references without proper input sanitization. The patch's nature (introducing prepared statements) and vulnerability description both confirm this was the exploitation vector.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| ruby-saml | rubygems | < 1.0.0 | 1.0.0 |