Add New Ruby-Saml vulnerability #163
Conversation
A second Ruby advisory with the same story, CVE request but not OSVDB was sent out today as well. Added that. The CVSS_2 scores were calculated by a colleague
|
CVEs are usually pretty quick on the uptake. Why not wait until later on/tomorrow? |
|
Okay, I'll see if they respond by tomorrow, I'll just let this sit in a PR until then :) |
|
👍 thanks Vanessa! |
|
I will also adjust the specs to allow missing CVEs. |
|
What should the file names be in the case that there is no CVE/OSVDB? dates will get tedious, not that I'm expecting there to be many of these |
|
Ah, I see now, it's missing both CVE and OSVDB. Also email |
|
That's a good question. Generally either MITRE or OSVDB would quickly assign an ID. |
|
So far the way we've been setup requires one or the other - and lately we've been preferring CVEs. |
|
I was the one who put in the requests to MITRE / oss-security and OSVDB... OSVDB got back to me and said they are experiencing infrastructure problems and aren't sure when they will be able to assign IDs again. MITRE takes forever for CVE requests. As soon as I have an update, I'll let you know. |
|
OSVDB has assigned the XEE vuln (SAML-Toolkits/ruby-saml#247) as OSVDB-124383, though it won't show up on the site until they fix some problems. At least this unblocks us from getting this added. Still waiting for the assignment for the other vuln. |
|
I've added that one in there @reedloden :) |
|
and OSVDB has assigned the XPath injection (SAML-Toolkits/ruby-saml#225) as OSVDB-124991. |
| title: Ruby-Saml Gem is vulnerable to XPath Injection | ||
| date: 2015-07-09 | ||
| description: | | ||
| ruby-saml before 1.0.0 is vulnerable to XPath injection on xml_security.rb. The lack of prepared statements allows for possibly command injection, leading to arbitrary code execution |
There was a problem hiding this comment.
Can you wrap at 80 chars here?
|
I think once you update 07092015_2 to reference OSVDB-124991 instead, this should be good to go. |
|
I was in the process of doing that! |
| osvdb: 124991 | ||
| url: https://github.com/onelogin/ruby-saml/pull/225 | ||
| title: Ruby-Saml Gem is vulnerable to XPath Injection | ||
| date: 2015-07-09 |
There was a problem hiding this comment.
Let's make this 2015-04-29, as that's when SAML-Toolkits/ruby-saml@9853651 was committed.
|
Awesome. Let's get the dates changed and squash your commits into one, and this should be good to go. :) |
Yay more date changes
|
Can you squash your commits into one (or one for each)? That's the only thing I see outstanding... |
|
👍 I'll squash it for you. |
|
Merged by hand in d9ec6d2. Thank you for being patient! |
This ruby-saml vuln came through the mailing lists this morning. Its not on OSVDB as far as I can tell (and I can't figure out how to create one) but a CVE was requested so for now I just put the date as the file name.