Vulnerability Details : CVE-2017-11430
OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
Products affected by CVE-2017-11430
- cpe:2.3:a:omniauth:omniauth_saml:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-11430
0.97%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-11430
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
7.7
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
3.1
|
4.0
|
Duo Security, Inc. |
CWE ids for CVE-2017-11430
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by:
- nvd@nist.gov (Primary)
- security@duo.com (Secondary)
References for CVE-2017-11430
-
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
Duo Finds SAML Vulnerabilities Affecting Multiple Implementations | Duo SecurityExploit;Technical Description;Third Party Advisory
-
https://www.kb.cert.org/vuls/id/475445
VU#475445 - Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversalThird Party Advisory;US Government Resource
Jump to