oss-security - CVE request: Command injection in ruby gem ruby-saml <1.0.0

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Thu, 9 Jul 2015 11:18:21 -0700
From: Reed Loden <reed@...dloden.com>
To: oss-security@...ts.openwall.com, 
	Assign a CVE Identifier <cve-assign@...re.org>
Subject: CVE request: Command injection in ruby gem ruby-saml <1.0.0

A follow-up to my previous CVE request. Looked into "Fix xpath injection on
xml_security.rb" some more.

https://github.com/onelogin/ruby-saml/pull/225#issuecomment-120084288

https://github.com/onelogin/ruby-saml/commit/1b4e3dd6d2d44efa629144b2180842456bfb2a0f#diff-661b9d9743a3ff77661f224c6191165cL242

Looks like lack of prepared statements allow for possible command
injection, leading to arbitrary code execution (via something like eval()).

Related to https://github.com/onelogin/ruby-saml/pull/183 /
http://osvdb.org/show/osvdb/117903 (which doesn't seem to have a CVE
assigned either as far as I can tell). Reference for that is
https://security.dxw.com/advisories/publicly-exploitable-command-injection-in-ruby-saml-0-7-2-library-can-root-the-host/
.

~reed

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.