CVE-2024-21632

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-21632

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-21632.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-21632

Aliases

GHSA-5g66-628f-7cvj

Published

2024-01-02T22:15:10Z

Modified

2024-05-14T13:08:45.216369Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

omniauth-microsoft_graph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the email is used as a trusted user identifier. This could lead to account takeover. Version 2.0.0 contains a fix for this issue.

References

Affected packages

Git / github.com/synth/omniauth-microsoft_graph

Affected ranges

Type: GIT
Repo: https://github.com/synth/omniauth-microsoft_graph
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f132078389612b797c872b45bd0e0b47382414c1

Affected versions

0.*

0.3.0

0.3.1

0.3.2

0.3.3

1.*

1.0.0

1.1.0

Other

pre-oauth-v2