Miggo Logo
Miggo Vulnerability Database
CVE-2017-11428

CVE-2017-11428: Ruby-SAML Improper Authentication vulnerability

7.7

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-11428
GHSA ID
GHSA-x2fr-v8wf-8wwv
EPSS Score
0.62279%
CWE
CWE-287
Published
7/5/2019
Updated
1/24/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ruby-samlrubygems< 1.7.01.7.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how REXML's text extraction APIs (like Element#get_text) handle XML nodes with comments. The name_id method in Response class and element_text utility function would be primary points of text extraction from SAML assertions. These functions would appear in stack traces when processing malicious SAML payloads containing comments in authenticated elements. The Duo Security blog explicitly identifies REXML's text node handling as the root cause, and these are the core SAML processing functions that would interact with those APIs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

On*Lo*in Ru*y-S*ML *.*.* *n* **rli*r m*y in*orr**tly utiliz* t** r*sults o* XML *OM tr*v*rs*l *n* **noni**liz*tion *PIs in su** * w*y t**t *n *tt**k*r m*y ** **l* to m*nipul*t* t** S*ML **t* wit*out inv*li**tin* t** *rypto*r*p*i* si*n*tur*, *llowin*

Reasoning

T** vuln*r**ility st*ms *rom *ow R*XML's t*xt *xtr**tion *PIs (lik* *l*m*nt#**t_t*xt) **n*l* XML no**s wit* *omm*nts. T** n*m*_i* m*t*o* in R*spons* *l*ss *n* *l*m*nt_t*xt utility *un*tion woul* ** prim*ry points o* t*xt *xtr**tion *rom S*ML *ss*rtio