GHSA-pm55-qfxr-h247

Source

https://github.com/advisories/GHSA-pm55-qfxr-h247

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-pm55-qfxr-h247/GHSA-pm55-qfxr-h247.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-pm55-qfxr-h247

Aliases

CVE-2020-36599

Published

2022-08-19T00:00:16Z

Modified

2023-11-08T04:03:48.034548Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

OmniAuth's `lib/omniauth/failure_endpoint.rb` does not escape `message_key` value

Details

lib/omniauth/failureendpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the messagekey value.

Database specific

{
    "nvd_published_at": "2022-08-18T23:15:00Z",
    "github_reviewed_at": "2022-08-31T18:47:40Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-116"
    ]
}

References

Affected packages

RubyGems / omniauth

Package

Name: omniauth
Purl: pkg:gem/omniauth

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.2

Affected versions

0.*

0.0.1

0.0.3

0.0.4

0.0.5

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.2.0.beta1

0.2.0.beta2

0.2.0.beta3

0.2.0.beta4

0.2.0.beta5

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.3.0.rc3

0.3.0

0.3.2

1.*

1.0.0.beta1

1.0.0.pr1

1.0.0.pr2

1.0.0.rc1

1.0.0.rc2

1.0.0

1.0.1

1.0.2

1.0.3

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.2.1

1.2.2

1.3.0

1.3.1

1.3.2

1.4.0

1.4.1

1.4.2

1.4.3

1.5.0

1.6.0

1.6.1

1.7.0

1.7.1

1.8.0

1.8.1

1.9.0

1.9.1

RubyGems / omniauth

Package

Name: omniauth
Purl: pkg:gem/omniauth

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0.pre.rc1

Fixed

2.0.0

Affected versions

2.*

2.0.0.pre.rc1