A recent patch release has been published to correct updates on the Gitlab platform. The joint development of Gitlab – versions 17.3.3, 17.2.6, and 17.1.8 – includes the elimination of a critical vulnerability that allows bypassing authentication based on Security Assertion Markup Language (SAML). This vulnerability, identified as CVE-2024-45409, is present in the Ruby libraries ruby-saml and omniauth-saml, which handle the client side of SAML authentication. The severity of this vulnerability is rated at the maximum level of 10 out of 10. The issue has been addressed in the updated versions of Ruby-saml (1.17.0 and 1.12.3) and omniauth-saml (2.2.0).
The vulnerability stems from the incorrect processing of the XPATH sector and improper verification of signatures in XML format when decoding responses from the SAML server. An attacker with access to any signed SAML document can manipulate SAML responses to insert arbitrary content using a standard attack known as XML Signature Wrapping (xSW).
The attack involves taking a correctly signed message and adding a fake message to the XML document with the same identifier as the original message. This manipulation can lead to unauthorized access to systems utilizing SAML for authentication, allowing attackers to impersonate any user within the system.