Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS01ZzY2LTYyOGYtN2N2as4AA4Lx

High EPSS: 0.00239% (0.47185 Percentile) EPSS:
Permalink JSON

Omniauth::MicrosoftGraph Account takeover (nOAuth)

Affected Packages Affected Versions Fixed Versions
rubygems:omniauth-microsoft_graph
PURL: pkg:gem/omniauth-microsoft_graph
< 2.0.0 2.0.0
0 Dependent packages
11 Dependent repositories
1,527,931 Downloads total

Affected Version Ranges

All affected versions

0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 1.0.0, 1.1.0, 1.2.0

All unaffected versions

2.0.0, 2.0.1, 2.1.0

Summary

The implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the email is used as a trusted user identifier

References:

Identifiers

GHSA-5g66-628f-7cvj

CVE-2024-21632

Risk

Severity

High

EPSS

EPSS Percentage: 0.00239

EPSS Percentile: 0.47185

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/synth/omniauth-microsoft_graph

Date and time

Published

almost 2 years ago

Updated

almost 2 years ago

API

JSON