CVE-2015-20108

moderate-risk
Published 2023-05-27

xml_security.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used.

Do I need to act?

-
0.40% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Onelogin

References (10)

Patch https://github.com/SAML-Toolkits/ruby-saml/commit/9853651b96b99653ea8627d757d46b...
Patch https://github.com/SAML-Toolkits/ruby-saml/compare/v0.9.2...v1.0.0
Issue Tracking https://github.com/SAML-Toolkits/ruby-saml/pull/225
Third Party Advisory https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/OSVDB-124...
https://security.netapp.com/advisory/ntap-20230703-0003/
Patch https://github.com/SAML-Toolkits/ruby-saml/commit/9853651b96b99653ea8627d757d46b...
Patch https://github.com/SAML-Toolkits/ruby-saml/compare/v0.9.2...v1.0.0
Issue Tracking https://github.com/SAML-Toolkits/ruby-saml/pull/225
Third Party Advisory https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/OSVDB-124...
https://security.netapp.com/advisory/ntap-20230703-0003/
39
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal