Advisory Database
  • Advisories
  • Dependency Scanning
  1. golang
  2. ›
  3. github.com/ssoready/ssoready
  4. ›
  5. CVE-2024-47832

CVE-2024-47832: SSOReady has an XML Signature Bypass via differential XML parsing

October 11, 2024

Affected versions are vulnerable to XML signature bypass attacks. An attacker can carry out signature bypass if you have access to certain IDP-signed messages. The underlying mechanism exploits differential behavior between XML parsers.

Users of https://ssoready.com, the public hosted instance of SSOReady, are unaffected. We advise folks who self-host SSOReady to upgrade to 7f92a06 or later. Do so by updating your SSOReady Docker images from sha-... to sha-7f92a06. The documentation for self-hosting SSOReady is available here.

Vulnerability was discovered by @ahacker1-securesaml. It’s likely the precise mechanism of attack affects other SAML implementations, so the reporter and I (@ucarion) have agreed to not disclose it in detail publicly at this time.

References

  • github.com/advisories/GHSA-j2hr-q93x-gxvh
  • github.com/ssoready/ssoready
  • github.com/ssoready/ssoready/commit/7f92a0630439972fcbefa8c7eafe8c144bd89915
  • github.com/ssoready/ssoready/security/advisories/GHSA-j2hr-q93x-gxvh
  • nvd.nist.gov/vuln/detail/CVE-2024-47832
  • pkg.go.dev/vuln/GO-2024-3185
  • ssoready.com/docs/self-hosting/self-hosting-sso-ready

Code Behaviors & Features

Detect and mitigate CVE-2024-47832 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 0.0.0-20241009153838-7f92a0630439

Fixed versions

  • 0.0.0-20241009153838-7f92a0630439

Solution

Upgrade to version 0.0.0-20241009153838-7f92a0630439 or above.

Impact 9.8 CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS

Weakness

  • CWE-347: Improper Verification of Cryptographic Signature

Source file

go/github.com/ssoready/ssoready/CVE-2024-47832.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:15:12 +0000.