CVE-2017-11427 – OneLogin’s “python-saml“
CVE-2017-11428 – OneLogin’s “ruby-saml“
CVE-2017-11429 – Clever’s “saml2-js”
CVE-2017-11430 – “OmniAuth-SAML”
CVE-2018-0489 – Shibboleth openSAML C++
VU#475445 (https://www.kb.cert.org/vuls/id/475445) relates to hijacking SAML documents by adding comments to fields, manipulating the identification of a user. As a SAML Service Provider, Spotinst has verified that all XML parsing within our system handles comments correctly. Spotinst does not use any of the libraries specifically called out. Furthermore, we have tested the core XML libraries in use against the described attacks. Testing has revealed that the vulnerability cannot be reproduced against our Service Provider SAML interfaces.
With that said, upstream Identity Providers (IDPs) will need to make their own modifications to ensure their platforms properly support comments within SAML documents. Please refer to statements from your IDP service and/or library in regards to mitigations they have taken for this vulnerability.
Please don’t hesitate to reach out to Spotinst Customer Support (firstname.lastname@example.org) with any security question.