GHSA-ww4x-rwq6-qpgf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-ww4x-rwq6-qpgf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-ww4x-rwq6-qpgf/GHSA-ww4x-rwq6-qpgf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-ww4x-rwq6-qpgf
- Aliases
- Published
- 2019-05-29T19:11:31Z
- Modified
- 2024-02-16T08:21:54.381778Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- OmniAuth Ruby gem Cross-site Request Forgery in request phase
- Details
-
The request phase of the OmniAuth Ruby gem (1.9.2 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.
As of v2 OmniAuth no longer has the vulnerable configuration by default, but it is still possible to configure OmniAuth in such a way that the web application becomes vulnerable to Cross-Site Request Forgery. There is a recommended remediation described here.
- Database specific
{ "nvd_published_at": "2019-04-26T15:29:00Z", "cwe_ids": [ "CWE-352" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2019-05-29T19:10:54Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2015-9284
- https://github.com/omniauth/omniauth/issues/1031
- https://github.com/omniauth/omniauth-rails/pull/1
- https://github.com/omniauth/omniauth/pull/809
- https://github.com/rubysec/ruby-advisory-db/commit/aef9f623c0be838234d53baf18977564804da397
- https://github.com/omniauth/omniauth
- https://github.com/omniauth/omniauth/releases/tag/v1.9.2
- https://github.com/omniauth/omniauth/releases/tag/v2.0.0
- https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth/CVE-2015-9284.yml
- https://www.openwall.com/lists/oss-security/2015/05/26/11
Affected packages
RubyGems / omniauth
Package
- Name
- omniauth
- Purl
- pkg:gem/omniauth
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.0.0
Affected versions
0.*
0.0.1
0.0.3
0.0.4
0.0.5
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.2.0.beta1
0.2.0.beta2
0.2.0.beta3
0.2.0.beta4
0.2.0.beta5
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.3.0.rc3
0.3.0
0.3.2
1.*
1.0.0.beta1
1.0.0.pr1
1.0.0.pr2
1.0.0.rc1
1.0.0.rc2
1.0.0
1.0.1
1.0.2
1.0.3
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.2.1
1.2.2
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2
1.4.3
1.5.0
1.6.0
1.6.1
1.7.0
1.7.1
1.8.0
1.8.1
1.9.0
1.9.1
1.9.2
2.*
2.0.0.pre.rc1