Cyber Resilience

CVE-2024-45409

Critical

Published: 10 September 2024

Published
10 September 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.4464 97.7th percentile
Risk Priority 47 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45409 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Gitlab Gitlab. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Ruby SAML library, used to implement the client side of SAML authorization in Ruby applications, is affected by CVE-2024-45409. Versions up to 1.12.2 and from 1.13.0 through 1.16.0 fail to properly verify the signature on SAML Responses, as identified under CWE-347. This allows an attacker in possession of any valid signed document from the identity provider to craft a forged Response or Assertion containing arbitrary attributes or subject information.

An unauthenticated remote attacker with access to a legitimately signed SAML document can exploit the flaw to bypass authentication entirely. By submitting the manipulated Response to a vulnerable service provider, the attacker can assume the identity of any user within the application, achieving full account takeover without needing valid credentials or interaction from the target.

The issue is resolved in ruby-saml 1.17.0 and 1.12.3, with patches available via the referenced GitHub commits. Security advisories from the ruby-saml and omniauth-saml projects, along with downstream notifications such as the Debian LTS announcement, recommend immediate upgrade to a fixed release. The EPSS score has remained at its peak of 0.4464 since disclosure with no subsequent increase.

EU & UK References

Vulnerability details

The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed…

more

saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

onelogin
ruby-saml
≤ 1.12.3 · 1.13.0 — 1.17.0
omniauth
omniauth saml
2.0.0, 2.1.0 · ≤ 1.10.3
gitlab
gitlab
≤ 16.11.10 · 17.0.0 — 17.0.8 · 17.1.0 — 17.1.8

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-347

Requires verification of digital signatures using organization-approved certificates before installation, directly preventing improper verification of cryptographic signatures.

addresses: CWE-347

Component authenticity commonly depends on cryptographic signatures; the control enforces proper verification of those signatures.

addresses: CWE-347

PKI certificates under an approved policy require cryptographic signature verification on issuance and validation.

addresses: CWE-347

Requires cryptographic signatures on authoritative data and support for verifying the chain of trust.

addresses: CWE-347

Mandates verification of cryptographic signatures (e.g., DNSSEC RRSIG) on resolution responses, addressing missing or bypassed signature checks.

addresses: CWE-347

Integrity tools commonly rely on cryptographic signatures whose improper validation this weakness covers.

addresses: CWE-347

Authenticity validation commonly relies on cryptographic signature or certificate checks that this control enforces.

References