-
-
Notifications
You must be signed in to change notification settings - Fork 566
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security improvement: Avoid entity expansion (XEE attacks) #247
Conversation
Security improvement: Avoid entity expansion (XEE attacks)
Should a CVE be requested for this? |
👍 to request and assign a CVE as it seems like the older versions have potential security impact. |
@reedloden hey reed, we meet again :D. if you're doing the CVE, this is my stab at the CVSS vector https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C) |
I requested one in http://seclists.org/oss-sec/2015/q3/70. Good to hear from you, @CalebFenton! I linked to this pull request from my CVE request, so hopefully NIST will see this when they do NVD advisories for the eventual CVE (and assign a CVSSv2 score). |
I also opened up #252 to figure out a better process for handling security issues going forward. |
Updates a vulnerable `ruby-saml` dependency. - SAML-Toolkits/ruby-saml@9853651 - SAML-Toolkits/ruby-saml#247
Bump omniauth-saml to 1.4.1 Updates a vulnerable `ruby-saml` dependency. - SAML-Toolkits/ruby-saml@9853651 - SAML-Toolkits/ruby-saml#247 See merge request !1162
Related info of XEE attacks:
http://web-in-security.blogspot.de/2014/11/detecting-and-exploiting-xxe-in-saml.html
http://www.vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html