oss-sec mailing list archives

Re: CVE request: XEE in ruby gem ruby-saml <1.0.0

From: Reed Loden <reed () reedloden com>
Date: Sun, 2 Aug 2015 18:27:32 -0700

Any update on a CVE assignment for this?

~reed

On Thu, Jul 9, 2015 at 2:48 AM, Reed Loden <reed () reedloden com> wrote:

Noticed this when reading changelog entries... I'm weird like that.

https://github.com/onelogin/ruby-saml/pull/247


https://github.com/onelogin/ruby-saml/commit/a2e5318530701bf14528c5b3b51c880b3499a75d

"Avoid entity expansion (XEE attacks)"

Release notes for ruby-saml v1.0.0
https://github.com/onelogin/ruby-saml/releases/tag/v1.0.0

(I wonder if the "Fix xpath injection on xml_security.rb" fix is a vuln as
well)

~reed

Current thread:

CVE request: XEE in ruby gem ruby-saml <1.0.0 Reed Loden (Jul 09)
- Re: CVE request: XEE in ruby gem ruby-saml <1.0.0 Reed Loden (Aug 02)