CVE-2024-45409
published 2024-09-10CVE-2024-45409: The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
10.68%
95.3th percentile
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-saml | < ruby-saml 1.13.0-1+deb12u1 (bookworm) | ruby-saml 1.13.0-1+deb12u1 (bookworm) |
| gitlab | gitlab | < 16.11.10 | 16.11.10 |
| gitlab | gitlab | >= 17.0.0 < 17.0.8 | 17.0.8 |
| gitlab | gitlab | >= 17.1.0 < 17.1.8 | 17.1.8 |
| gitlab | gitlab | >= 17.2.0 < 17.2.7 | 17.2.7 |
| gitlab | gitlab | >= 17.3.0 < 17.3.3 | 17.3.3 |
| omniauth | omniauth_saml | <= 1.10.3 | — |
| omniauth | omniauth_saml | — | — |
| omniauth | omniauth_saml | — | — |
| onelogin | ruby-saml | < 1.12.3 | 1.12.3 |
| onelogin | ruby-saml | >= 0 < 1.11.0-1+deb11u1 | 1.11.0-1+deb11u1 |
| onelogin | ruby-saml | >= 0 < 1.13.0-1+deb12u1 | 1.13.0-1+deb12u1 |
| onelogin | ruby-saml | >= 0 < 1.12.3 | 1.12.3 |
| onelogin | ruby-saml | >= 0 < 1.11.0-1ubuntu0.1 | 1.11.0-1ubuntu0.1 |
| onelogin | ruby-saml | >= 0 < 1.13.0-1ubuntu0.1 | 1.13.0-1ubuntu0.1 |
| onelogin | ruby-saml | >= 0 < 1.15.0-1ubuntu0.24.04.1 | 1.15.0-1ubuntu0.24.04.1 |
| onelogin | ruby-saml | >= 0 < 1.1.2-1ubuntu1+esm1 | 1.1.2-1ubuntu1+esm1 |
| onelogin | ruby-saml | >= 0 < 1.7.2-1ubuntu0.1~esm1 | 1.7.2-1ubuntu0.1~esm1 |
| onelogin | ruby-saml | >= 1.13.0 < 1.17.0 | 1.17.0 |
| onelogin | ruby-saml | >= 1.13.0 < 1.17.0 | 1.17.0 |
| saml-toolkits | ruby-saml | < 1.12.3 | 1.12.3 |
| saml-toolkits | ruby-saml | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ruby-SAML Authentication Bypass by Assertion Smuggling (CVE-2024-45409)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/auth/saml/callback"; endswith; http.request_body; url_decode; content:"RelayState|3d|"; content:"SAMLResponse|3d|"; fast_pattern; base64_decode:offset 0,relative; base64_data; content:""; content:"DigestValue|20|"; distance:0; content:""; distance:0; reference:url,blog.projectdiscovery.io/ruby-saml-gitlab-auth-bypass/; reference:cve,2024-45409; classtype:web-application-attack; sid:2056646; rev:1; metadata:created_at 2024_10_14, cve CVE_2024_45409, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_10_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Look for RubySaml::ValidationError in authentication logs — indicates unsuccessful exploitation attempts. ↗
- →Monitor authentication logs for new or unusual extern_uid values, which indicate successful exploitation. ↗
- →Flag SAML responses with missing or incorrect information as a sign of tampering. ↗
- →Detect multiple extern_uid values associated with a single user account, which may indicate account compromise. ↗
- →Alert on SAML authentication events originating from unfamiliar or suspicious IP addresses compared to the user's usual access patterns. ↗
- →Exploit POST body contains both RelayState and SAMLResponse parameters; the decoded SAMLResponse contains an injected DigestValue element inside a samlp:Extensions block — a hallmark of assertion smuggling.
- →The exploit removes the Response-level ds:Signature, rewrites saml:NameID and saml:AttributeValue to the target username, then injects a forged DigestValue into a samlp:Extensions element to bypass signature validation.
- →Use Shodan query 'http.title:"GitLab"' to identify exposed GitLab instances potentially vulnerable to this CVE.
- →A successful exploitation results in an HTTP 302 redirect response containing a known_sign_in cookie/header value — use this as a post-exploitation detection signal.
- ·The vulnerability only affects self-managed GitLab installations; GitLab Dedicated instances and GitLab.com are not impacted. ↗
- ·The Snort/ET rule requires SSL decryption to be effective against HTTPS traffic (metadata includes 'deployment SSLDecrypt').
- ·The Nuclei exploit template requires the SAMLResponse environment variable to be pre-populated with a valid IdP-signed SAML document — the attacker must already possess at least one legitimately signed SAML document. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa7.5HIGH
osv9.8CRITICAL
vulncheck10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
ghsa·2026-05-19·CVSS 7.5
CVE-2026-45409 [HIGH] CWE-1333 Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. Payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize the `valid_contexto` function prior to length rejection, and for high values of `N` will take a long time to process.
### Impact
A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service.
### Patches
Starting in version 3.14, the function rejects long inputs as soon as practicable prior to any further processing to minimize resource consumption. In version 3.15, this approach was extended to lesser used alternate fu
OSV
Ruby SAML vulnerabilities
osv·2025-02-28·CVSS 7.5
CVE-2016-5697 [HIGH] Ruby SAML vulnerabilities
Ruby SAML vulnerabilities
It was discovered that Ruby SAML did not properly validate SAML responses.
An unauthenticated attacker could use this vulnerability to log in as an
abitrary user. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-5697)
It was discovered that Ruby SAML incorrectly utilized the results of XML
DOM traversal and canonicalization APIs. An unauthenticated attacker could
use this vulnerability to log in as an abitrary user. This issue only
affected Ubuntu 16.04 LTS. (CVE-2017-11428)
It was discovered that Ruby SAML did not properly verify the signature of
the SAML Response, allowing multiple elements with the same ID. An
unauthenticated attacker could use this vulnerability to log in as an
abitrary user. (CVE-2024-45409)
OSV
SAML authentication bypass via Incorrect XPath selector
osv·2024-09-10
CVE-2024-45409 [CRITICAL] SAML authentication bypass via Incorrect XPath selector
SAML authentication bypass via Incorrect XPath selector
Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system.
This vulnerability was reported by ahacker1 of SecureSAML ([email protected])
OSV
CVE-2024-45409: The Ruby SAML library is for implementing the client side of a SAML authorization
osv·2024-09-10·CVSS 9.8
CVE-2024-45409 [CRITICAL] CVE-2024-45409: The Ruby SAML library is for implementing the client side of a SAML authorization
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.
GHSA
SAML authentication bypass via Incorrect XPath selector
ghsa·2024-09-10
CVE-2024-45409 [CRITICAL] CWE-347 SAML authentication bypass via Incorrect XPath selector
SAML authentication bypass via Incorrect XPath selector
Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system.
This vulnerability was reported by ahacker1 of SecureSAML ([email protected])
VulnCheck
onelogin ruby-saml Improper Verification of Cryptographic Signature
vulncheck·2024·CVSS 10.0
CVE-2024-45409 [CRITICAL] onelogin ruby-saml Improper Verification of Cryptographic Signature
onelogin ruby-saml Improper Verification of Cryptographic Signature
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.
Affected: onelogin ruby-saml
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://cyble.com/blog/active-exploitation-of-s
Ubuntu
Ruby SAML vulnerabilities
vendor_ubuntu·2025-02-28·CVSS 7.5
CVE-2024-45409 [HIGH] Ruby SAML vulnerabilities
Title: Ruby SAML vulnerabilities
Summary: Several security issues were fixed in Ruby SAML.
It was discovered that Ruby SAML did not properly validate SAML responses.
An unauthenticated attacker could use this vulnerability to log in as an
abitrary user. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-5697)
It was discovered that Ruby SAML incorrectly utilized the results of XML
DOM traversal and canonicalization APIs. An unauthenticated attacker could
use this vulnerability to log in as an abitrary user. This issue only
affected Ubuntu 16.04 LTS. (CVE-2017-11428)
It was discovered that Ruby SAML did not properly verify the signature of
the SAML Response, allowing multiple elements with the same ID. An
unauthenticated attacker could use this vulnerability to log in as an
abitrary u
Debian
CVE-2024-45409: ruby-saml - The Ruby SAML library is for implementing the client side of a SAML authorizatio...
vendor_debian·2024·CVSS 10.0
CVE-2024-45409 [CRITICAL] CVE-2024-45409: ruby-saml - The Ruby SAML library is for implementing the client side of a SAML authorizatio...
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.
Scope: local
bookworm: resolved (fixed in 1.13.0-1+deb12u1)
bullseye: resolved (fixed in 1.11.0-1+deb11u1)
Suricata
ET WEB_SPECIFIC_APPS Ruby-SAML Authentication Bypass by Assertion Smuggling (CVE-2024-45409)
suricata·2024-10-14·CVSS 10.0
CVE-2024-45409 [CRITICAL] ET WEB_SPECIFIC_APPS Ruby-SAML Authentication Bypass by Assertion Smuggling (CVE-2024-45409)
ET WEB_SPECIFIC_APPS Ruby-SAML Authentication Bypass by Assertion Smuggling (CVE-2024-45409)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ruby-SAML Authentication Bypass by Assertion Smuggling (CVE-2024-45409)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/auth/saml/callback"; endswith; http.request_body; url_decode; content:"RelayState|3d|"; content:"SAMLResponse|3d|"; fast_pattern; base64_decode:offset 0,relative; base64_data; content:""; content:"DigestValue|20|"; distance:0; content:""; distance:0; reference:url,blog.projectdiscovery.io/ruby-saml-gitlab-auth-bypass/; reference:cve,2024-45409; classtype:web-application-attack; sid:2056646; rev:1; metadata:created_at 2024_10_14, cve CVE_2024_45409, deployment Perimeter, deplo
Nuclei
GitLab - SAML Authentication Bypass
nuclei·CVSS 9.8
CVE-2024-45409 [CRITICAL] GitLab - SAML Authentication Bypass
GitLab - SAML Authentication Bypass
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response.
Template:
id: CVE-2024-45409
info:
name: GitLab - SAML Authentication Bypass
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response.
impact: |
An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable
https://github.com/SAML-Toolkits/ruby-saml/commit/1ec5392bc506fe43a02dbb66b68741051c5ffeaehttps://github.com/SAML-Toolkits/ruby-saml/commit/4865d030cae9705ee5cdb12415c654c634093ae7https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvqhttps://lists.debian.org/debian-lts-announce/2024/11/msg00006.htmlhttps://news.ycombinator.com/item?id=41586031https://security.netapp.com/advisory/ntap-20240926-0008/https://ssoready.com/blog/engineering/ruby-saml-pwned-by-xml-signature-wrapping-attacks/
2024-09-10
Published
Exploited in the wild