Release 1.17.0

pitbulk · pitbulk · commit 1bc447f297b7 · 2024-09-10T19:15:42.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,7 @@
 # Ruby SAML Changelog
 
-### 1.17.0
+### 1.17.0  (Sep 10, 2024)
+* Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
 * [#687](https://github.com/SAML-Toolkits/ruby-saml/pull/687) Add CI coverage for Ruby 3.3 and Windows.
 * [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Add `Settings#sp_cert_multi` paramter to facilitate SP certificate and key rotation.
 * [#673](https://github.com/SAML-Toolkits/ruby-saml/pull/673) Support multiple simultaneous SP decryption keys via `Settings#sp_cert_multi` parameter.
@@ -39,6 +40,9 @@
 * Add warning about the use of IdpMetadataParser class and SSRF
 * CI: Migrate from Travis to Github Actions
 
+### 1.12.3  (Sep 10, 2024)
+* Fix for critical vulnerability CVE-2024-45409: SAML authentication bypass via Incorrect XPath selector
+
 ### 1.12.2 (Apr 08, 2021)
 * [#575](https://github.com/onelogin/ruby-saml/pull/575) Fix SloLogoutresponse bug on LogoutRequest
 
diff --git a/README.md b/README.md
@@ -7,6 +7,8 @@
 Ruby SAML minor and tiny versions may introduce breaking changes. Please read
 [UPGRADING.md](UPGRADING.md) for guidance on upgrading to new Ruby SAML versions.
 
+There is a critical vulnerability affecting ruby-saml < 1.17.0 (CVE-2024-45409). Make sure you are using an updated version. (1.12.3 is safe)
+
 ## Overview
 
 The Ruby SAML library is for implementing the client side of a SAML authorization,
diff --git a/lib/onelogin/ruby-saml/version.rb b/lib/onelogin/ruby-saml/version.rb
@@ -1,5 +1,5 @@
 module OneLogin
   module RubySaml
-    VERSION = '1.16.0'
+    VERSION = '1.17.0'
   end
 end
diff --git a/lib/xml_security.rb b/lib/xml_security.rb
@@ -316,6 +316,7 @@ def validate_signature(base64_cert, soft = true)
         "./ds:SignedInfo",
         { "ds" => DSIG }
       )
+
       # get inclusive namespaces
       inclusive_namespaces = extract_inclusive_namespaces
 
@@ -325,7 +326,7 @@ def validate_signature(base64_cert, soft = true)
       reference_nodes = document.xpath("//*[@ID=$id]", nil, { 'id' => extract_signed_element_id })
 
       if reference_nodes.length > 1 # ensures no elements with same ID to prevent signature wrapping attack.
-        return append_error("Digest Mismatch", soft)
+        return append_error("Digest mismatch. Duplicated ID found", soft)
       end
 
       hashed_element = reference_nodes[0]
