GHSA SYNC: 2 brand new advisorites

jasnow · postmodern · commit d22c3ba9e7b4 · 2025-12-12T13:24:36.000-08:00
diff --git a/gems/ruby-saml/CVE-2025-66567.yml b/gems/ruby-saml/CVE-2025-66567.yml
@@ -0,0 +1,33 @@
+---
+gem: ruby-saml
+cve: 2025-66567
+ghsa: 9v8j-x534-2fx3
+url: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-9v8j-x534-2fx3
+title: Ruby-saml has a SAML authentication bypass due to namespace
+  handling (parser differential)
+date: 2025-12-08
+description: |
+  ### Summary
+
+  Ruby-saml up to and including 1.12.4, there is an authentication
+  bypass vulnerability because of an incomplete fix for CVE-2025-25292.
+  ReXML and Nokogiri parse XML differently, the parsers can generate
+  entirely different document structures from the same XML input.
+  That allows an attacker to be able to execute a Signature Wrapping
+  attack. The vulnerability does not affect the version 1.18.0.
+
+  ### Impact
+
+  That allows an attacker to be able to execute a Signature Wrapping
+  attack and bypass the authentication
+cvss_v3: 9.1
+cvss_v4: 9.3
+patched_versions:
+  - ">= 1.18.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-66567
+    - https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-9v8j-x534-2fx3
+    - https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97
+    - https://github.com/advisories/GHSA-754f-8gm6-c4r2
+    - https://github.com/advisories/GHSA-9v8j-x534-2fx3
diff --git a/gems/ruby-saml/CVE-2025-66568.yml b/gems/ruby-saml/CVE-2025-66568.yml
@@ -0,0 +1,44 @@
+---
+gem: ruby-saml
+cve: 2025-66568
+ghsa: x4h9-gwv3-r4m4
+url: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-x4h9-gwv3-r4m4
+title: Ruby-saml allows a Libxml2 Canonicalization error to bypass
+  Digest/Signature validation
+date: 2025-12-08
+description: |
+  ### Summary
+
+  Ruby-saml up to and including 1.12.4, there is an authentication
+  bypass vulnerability because of an issue at libxml2 canonicalization
+  process used by Nokogiri for document transformation. That allows
+  an attacker to be able to execute a Signature Wrapping attack.
+  The vulnerability does not affect the version 1.18.0.
+
+  ### Details
+
+  When libxml2’s canonicalization is invoked on an invalid XML input,
+  it may return an empty string rather than a canonicalized node.
+  ruby-saml then proceeds to compute the DigestValue over this empty
+  string, treating it as if canonicalization succeeded.
+
+  ### Impact
+
+  1. Digest bypass: By crafting input that causes canonicalization to
+     yield an empty string, the attacker can manipulate validation to
+     pass incorrectly.
+
+  2. Signature replay on empty canonical form: If an empty string has
+     been signed once (e.g., in a prior interaction or via a
+     misconfigured flow), that signature can potentially be replayed
+     to bypass authentication.
+cvss_v3: 9.1
+cvss_v4: 9.3
+patched_versions:
+  - ">= 1.18.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-66568
+    - https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-x4h9-gwv3-r4m4
+    - https://github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349a
+    - https://github.com/advisories/GHSA-x4h9-gwv3-r4m4
