CNNVD-202512-1366 Information
CNNVD ID
CNNVD-202512-1366
Related CVE
- CNNVD Published: 2025-12-09
Description (Chinese)
Onelogin OneLogin ruby-saml是美国Onelogin公司的一款基于Ruby的、用于单点登录(SSO)服务的SAML(安全断言标记语言)库。 OneLogin ruby-saml 1.12.4及之前版本存在数据伪造问题漏洞,该漏洞源于XML解析差异,可能导致签名包装攻击和认证绕过。
Description (English)
Onelogin OneLogin ruby-saml is a United States-based Onelogin-based SAML library for single point login (SSO) services. OneLogin ruby-saml 1.12.4 and previous versions contain a loophole in the problem of data forgery, which stems from differences in XML resolution and may lead to a signature package attack and authentication circumvention.
Hazard Level
High
Vulnerability Type
数据伪造问题
Affected Vendor
Onelogin
Published
2025-12-09
Last Modified
2026-02-24
References
https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97 https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-9v8j-x534-2fx3 https://github.com/advisories/GHSA-754f-8gm6-c4r2
Patch
https://github.com/SAML-Toolkits/ruby-saml/releases
Share on: