SAML vulnerability update (CVE-2017-11428)
Incident Report for Contentful
Resolved
A security vulnerability was found in the way Single Sign-On works when using SAML (Security Assertion Markup Language) [1] and was responsibly disclosed on Tuesday February 27th 2018. This affected a Ruby gem used by our application where it was assigned the CVE entry CVE-2017-11428. This dependency has been patched and made available by the maintainer on the same day [2].

Our Engineers quickly identified the threat and applied the fix to our platform. Therefore, our customers are not affected by this vulnerability as of 08:00 UTC February 28th 2018.

Feel free to reach out to our Security Team and Support Team with any questions that might arise through support@contentful.com.

[1] https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
[2] https://github.com/onelogin/ruby-saml
Posted 5 months ago. Feb 28, 2018 - 10:36 UTC