CVE Vulnerabilities

CVE-2024-47832

Improper Verification of Cryptographic Signature

Published: Oct 09, 2024 | Modified: Mar 06, 2025
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

ssoready is a single sign on provider implemented via docker. Affected versions are vulnerable to XML signature bypass attacks. An attacker can carry out signature bypass if you have access to certain IDP-signed messages. The underlying mechanism exploits differential behavior between XML parsers. Users of https://ssoready.com, the public hosted instance of SSOReady, are unaffected. We advise folks who self-host SSOReady to upgrade to 7f92a06 or later. Do so by updating your SSOReady Docker images from sha-… to sha-7f92a06. There are no known workarounds for this vulnerability.

Weakness

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Affected Software

Name Vendor Start Version End Version
Ssoready Ssoready * 2024-10-09 (excluding)

References