cbcvebase.
CVE-2024-45409
published 2024-09-10

CVE-2024-45409: The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
10.68%
95.3th percentile
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.

Affected

22 ranges
VendorProductVersion rangeFixed in
debianruby-saml< ruby-saml 1.13.0-1+deb12u1 (bookworm)ruby-saml 1.13.0-1+deb12u1 (bookworm)
gitlabgitlab< 16.11.1016.11.10
gitlabgitlab>= 17.0.0 < 17.0.817.0.8
gitlabgitlab>= 17.1.0 < 17.1.817.1.8
gitlabgitlab>= 17.2.0 < 17.2.717.2.7
gitlabgitlab>= 17.3.0 < 17.3.317.3.3
omniauthomniauth_saml<= 1.10.3
omniauthomniauth_saml
omniauthomniauth_saml
oneloginruby-saml< 1.12.31.12.3
oneloginruby-saml>= 0 < 1.11.0-1+deb11u11.11.0-1+deb11u1
oneloginruby-saml>= 0 < 1.13.0-1+deb12u11.13.0-1+deb12u1
oneloginruby-saml>= 0 < 1.12.31.12.3
oneloginruby-saml>= 0 < 1.11.0-1ubuntu0.11.11.0-1ubuntu0.1
oneloginruby-saml>= 0 < 1.13.0-1ubuntu0.11.13.0-1ubuntu0.1
oneloginruby-saml>= 0 < 1.15.0-1ubuntu0.24.04.11.15.0-1ubuntu0.24.04.1
oneloginruby-saml>= 0 < 1.1.2-1ubuntu1+esm11.1.2-1ubuntu1+esm1
oneloginruby-saml>= 0 < 1.7.2-1ubuntu0.1~esm11.7.2-1ubuntu0.1~esm1
oneloginruby-saml>= 1.13.0 < 1.17.01.17.0
oneloginruby-saml>= 1.13.0 < 1.17.01.17.0
saml-toolkitsruby-saml< 1.12.31.12.3
saml-toolkitsruby-saml

Detection & IOCsextracted from sources · hover to see the quote

url/users/auth/saml/callback
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ruby-SAML Authentication Bypass by Assertion Smuggling (CVE-2024-45409)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/auth/saml/callback"; endswith; http.request_body; url_decode; content:"RelayState|3d|"; content:"SAMLResponse|3d|"; fast_pattern; base64_decode:offset 0,relative; base64_data; content:""; content:"DigestValue|20|"; distance:0; content:""; distance:0; reference:url,blog.projectdiscovery.io/ruby-saml-gitlab-auth-bypass/; reference:cve,2024-45409; classtype:web-application-attack; sid:2056646; rev:1; metadata:created_at 2024_10_14, cve CVE_2024_45409, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_10_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Look for RubySaml::ValidationError in authentication logs — indicates unsuccessful exploitation attempts.
  • Monitor authentication logs for new or unusual extern_uid values, which indicate successful exploitation.
  • Flag SAML responses with missing or incorrect information as a sign of tampering.
  • Detect multiple extern_uid values associated with a single user account, which may indicate account compromise.
  • Alert on SAML authentication events originating from unfamiliar or suspicious IP addresses compared to the user's usual access patterns.
  • Exploit POST body contains both RelayState and SAMLResponse parameters; the decoded SAMLResponse contains an injected DigestValue element inside a samlp:Extensions block — a hallmark of assertion smuggling.
  • The exploit removes the Response-level ds:Signature, rewrites saml:NameID and saml:AttributeValue to the target username, then injects a forged DigestValue into a samlp:Extensions element to bypass signature validation.
  • Use Shodan query 'http.title:"GitLab"' to identify exposed GitLab instances potentially vulnerable to this CVE.
  • A successful exploitation results in an HTTP 302 redirect response containing a known_sign_in cookie/header value — use this as a post-exploitation detection signal.
  • ·The vulnerability only affects self-managed GitLab installations; GitLab Dedicated instances and GitLab.com are not impacted.
  • ·The Snort/ET rule requires SSL decryption to be effective against HTTPS traffic (metadata includes 'deployment SSLDecrypt').
  • ·The Nuclei exploit template requires the SAMLResponse environment variable to be pre-populated with a valid IdP-signed SAML document — the attacker must already possess at least one legitimately signed SAML document.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa7.5HIGH
osv9.8CRITICAL
vulncheck10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.