CVE-2024-21632

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-21632
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-21632.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-21632
Aliases
Published
2024-01-02T22:15:10Z
Modified
2024-05-14T13:08:45.216369Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

omniauth-microsoft_graph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the email is used as a trusted user identifier. This could lead to account takeover. Version 2.0.0 contains a fix for this issue.

References

Affected packages

Git / github.com/synth/omniauth-microsoft_graph

Affected ranges

Type
GIT
Repo
https://github.com/synth/omniauth-microsoft_graph
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.3.0
0.3.1
0.3.2
0.3.3

1.*

1.0.0
1.1.0

Other

pre-oauth-v2