Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXd3NHgtcndxNi1xcGdm
OmniAuth Ruby gem Cross-site Request Forgery in request phase
The request phase of the OmniAuth Ruby gem (1.9.2 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.
As of v2 OmniAuth no longer has the vulnerable configuration by default, but it is still possible to configure OmniAuth in such a way that the web application becomes vulnerable to Cross-Site Request Forgery. There is a recommended remediation described here.
Permalink: https://github.com/advisories/GHSA-ww4x-rwq6-qpgfJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXd3NHgtcndxNi1xcGdm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: 9 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-ww4x-rwq6-qpgf, CVE-2015-9284
References:
- https://nvd.nist.gov/vuln/detail/CVE-2015-9284
- https://github.com/omniauth/omniauth-rails/pull/1
- https://github.com/omniauth/omniauth/pull/809
- https://www.openwall.com/lists/oss-security/2015/05/26/11
- https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
- https://github.com/rubysec/ruby-advisory-db/commit/aef9f623c0be838234d53baf18977564804da397
- https://github.com/omniauth/omniauth/releases/tag/v2.0.0
- https://github.com/omniauth/omniauth/issues/1031
- https://github.com/omniauth/omniauth/releases/tag/v1.9.2
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth/CVE-2015-9284.yml
- https://github.com/advisories/GHSA-ww4x-rwq6-qpgf
Blast Radius: 41.7
Affected Packages
rubygems:omniauth
Dependent packages: 924Dependent repositories: 54,474
Downloads: 157,638,532 total
Affected Version Ranges: <= 1.9.2
Fixed in: 2.0.0
All affected versions: 0.0.1, 0.0.3, 0.0.4, 0.0.5, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.3.0, 0.3.2, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.6.0, 1.6.1, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.9.2
All unaffected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.1.2