Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities found for omniauth by omniauth
CVE-2020-36599 (GCVE-0-2020-36599)
Vulnerability from cvelistv5 – Published: 2022-08-18 22:48 – Updated: 2024-08-04 17:30
VLAI
Summary
lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/omniauth/omniauth/commit/43a39… | x_refsource_MISC |
| https://rubygems.org/gems/omniauth/versions/1.9.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:30:08.472Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://rubygems.org/gems/omniauth/versions/1.9.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-19T15:35:08.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://rubygems.org/gems/omniauth/versions/1.9.2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36599",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2",
"refsource": "MISC",
"url": "https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2"
},
{
"name": "https://rubygems.org/gems/omniauth/versions/1.9.2",
"refsource": "MISC",
"url": "https://rubygems.org/gems/omniauth/versions/1.9.2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36599",
"datePublished": "2022-08-18T22:48:07.000Z",
"dateReserved": "2022-08-18T00:00:00.000Z",
"dateUpdated": "2024-08-04T17:30:08.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9284 (GCVE-0-2015-9284)
Vulnerability from cvelistv5 – Published: 2019-04-26 14:03 – Updated: 2024-08-06 08:43
VLAI
Summary
The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.
Severity
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF) (CWE-352)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/omniauth/omniauth/pull/809 | x_refsource_MISC |
| https://github.com/omniauth/omniauth-rails/pull/1 | x_refsource_MISC |
| https://www.openwall.com/lists/oss-security/2015/… | mailing-listx_refsource_MLIST |
| https://github.com/omniauth/omniauth/wiki/Resolvi… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | omniauth ruby gem |
Affected:
All versions
|
Date Public
2015-05-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:43:42.338Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/omniauth/omniauth/pull/809"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/omniauth/omniauth-rails/pull/1"
},
{
"name": "[oss-security] 20150526 CVE Request: CSRF vulnerability in OmniAuth request phase",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2015/05/26/11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "omniauth ruby gem",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"datePublic": "2015-05-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF) (CWE-352)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-04T14:41:58.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/omniauth/omniauth/pull/809"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/omniauth/omniauth-rails/pull/1"
},
{
"name": "[oss-security] 20150526 CVE Request: CSRF vulnerability in OmniAuth request phase",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://www.openwall.com/lists/oss-security/2015/05/26/11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2015-9284",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "omniauth ruby gem",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF) (CWE-352)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/omniauth/omniauth/pull/809",
"refsource": "MISC",
"url": "https://github.com/omniauth/omniauth/pull/809"
},
{
"name": "https://github.com/omniauth/omniauth-rails/pull/1",
"refsource": "MISC",
"url": "https://github.com/omniauth/omniauth-rails/pull/1"
},
{
"name": "[oss-security] 20150526 CVE Request: CSRF vulnerability in OmniAuth request phase",
"refsource": "MLIST",
"url": "https://www.openwall.com/lists/oss-security/2015/05/26/11"
},
{
"name": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284",
"refsource": "MISC",
"url": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2015-9284",
"datePublished": "2019-04-26T14:03:53.000Z",
"dateReserved": "2019-04-09T00:00:00.000Z",
"dateUpdated": "2024-08-06T08:43:42.338Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-18076 (GCVE-0-2017-18076)
Vulnerability from cvelistv5 – Published: 2018-01-26 19:00 – Updated: 2024-08-05 21:13
VLAI
Summary
In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/omniauth/omniauth/pull/867 | x_refsource_CONFIRM |
| https://www.debian.org/security/2018/dsa-4109 | vendor-advisoryx_refsource_DEBIAN |
| https://bugs.debian.org/888523 | x_refsource_CONFIRM |
| https://github.com/omniauth/omniauth/pull/867/com… | x_refsource_CONFIRM |
Date Public
2018-01-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:13:47.519Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/omniauth/omniauth/pull/867"
},
{
"name": "DSA-4109",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4109"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.debian.org/888523"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/omniauth/omniauth/pull/867/commits/71866c5264122e196847a3980c43051446a03e9b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-01-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-10T10:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/omniauth/omniauth/pull/867"
},
{
"name": "DSA-4109",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4109"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.debian.org/888523"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/omniauth/omniauth/pull/867/commits/71866c5264122e196847a3980c43051446a03e9b"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18076",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/omniauth/omniauth/pull/867",
"refsource": "CONFIRM",
"url": "https://github.com/omniauth/omniauth/pull/867"
},
{
"name": "DSA-4109",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4109"
},
{
"name": "https://bugs.debian.org/888523",
"refsource": "CONFIRM",
"url": "https://bugs.debian.org/888523"
},
{
"name": "https://github.com/omniauth/omniauth/pull/867/commits/71866c5264122e196847a3980c43051446a03e9b",
"refsource": "CONFIRM",
"url": "https://github.com/omniauth/omniauth/pull/867/commits/71866c5264122e196847a3980c43051446a03e9b"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18076",
"datePublished": "2018-01-26T19:00:00.000Z",
"dateReserved": "2018-01-26T00:00:00.000Z",
"dateUpdated": "2024-08-05T21:13:47.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36599 (GCVE-0-2020-36599)
Vulnerability from nvd – Published: 2022-08-18 22:48 – Updated: 2024-08-04 17:30
VLAI
Summary
lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/omniauth/omniauth/commit/43a39… | x_refsource_MISC |
| https://rubygems.org/gems/omniauth/versions/1.9.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:30:08.472Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://rubygems.org/gems/omniauth/versions/1.9.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-19T15:35:08.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://rubygems.org/gems/omniauth/versions/1.9.2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36599",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2",
"refsource": "MISC",
"url": "https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2"
},
{
"name": "https://rubygems.org/gems/omniauth/versions/1.9.2",
"refsource": "MISC",
"url": "https://rubygems.org/gems/omniauth/versions/1.9.2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36599",
"datePublished": "2022-08-18T22:48:07.000Z",
"dateReserved": "2022-08-18T00:00:00.000Z",
"dateUpdated": "2024-08-04T17:30:08.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-9284 (GCVE-0-2015-9284)
Vulnerability from nvd – Published: 2019-04-26 14:03 – Updated: 2024-08-06 08:43
VLAI
Summary
The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.
Severity
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF) (CWE-352)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/omniauth/omniauth/pull/809 | x_refsource_MISC |
| https://github.com/omniauth/omniauth-rails/pull/1 | x_refsource_MISC |
| https://www.openwall.com/lists/oss-security/2015/… | mailing-listx_refsource_MLIST |
| https://github.com/omniauth/omniauth/wiki/Resolvi… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | omniauth ruby gem |
Affected:
All versions
|
Date Public
2015-05-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:43:42.338Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/omniauth/omniauth/pull/809"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/omniauth/omniauth-rails/pull/1"
},
{
"name": "[oss-security] 20150526 CVE Request: CSRF vulnerability in OmniAuth request phase",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2015/05/26/11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "omniauth ruby gem",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"datePublic": "2015-05-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF) (CWE-352)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-04T14:41:58.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/omniauth/omniauth/pull/809"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/omniauth/omniauth-rails/pull/1"
},
{
"name": "[oss-security] 20150526 CVE Request: CSRF vulnerability in OmniAuth request phase",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://www.openwall.com/lists/oss-security/2015/05/26/11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2015-9284",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "omniauth ruby gem",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF) (CWE-352)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/omniauth/omniauth/pull/809",
"refsource": "MISC",
"url": "https://github.com/omniauth/omniauth/pull/809"
},
{
"name": "https://github.com/omniauth/omniauth-rails/pull/1",
"refsource": "MISC",
"url": "https://github.com/omniauth/omniauth-rails/pull/1"
},
{
"name": "[oss-security] 20150526 CVE Request: CSRF vulnerability in OmniAuth request phase",
"refsource": "MLIST",
"url": "https://www.openwall.com/lists/oss-security/2015/05/26/11"
},
{
"name": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284",
"refsource": "MISC",
"url": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2015-9284",
"datePublished": "2019-04-26T14:03:53.000Z",
"dateReserved": "2019-04-09T00:00:00.000Z",
"dateUpdated": "2024-08-06T08:43:42.338Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-18076 (GCVE-0-2017-18076)
Vulnerability from nvd – Published: 2018-01-26 19:00 – Updated: 2024-08-05 21:13
VLAI
Summary
In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/omniauth/omniauth/pull/867 | x_refsource_CONFIRM |
| https://www.debian.org/security/2018/dsa-4109 | vendor-advisoryx_refsource_DEBIAN |
| https://bugs.debian.org/888523 | x_refsource_CONFIRM |
| https://github.com/omniauth/omniauth/pull/867/com… | x_refsource_CONFIRM |
Date Public
2018-01-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:13:47.519Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/omniauth/omniauth/pull/867"
},
{
"name": "DSA-4109",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4109"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.debian.org/888523"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/omniauth/omniauth/pull/867/commits/71866c5264122e196847a3980c43051446a03e9b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-01-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-10T10:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/omniauth/omniauth/pull/867"
},
{
"name": "DSA-4109",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4109"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.debian.org/888523"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/omniauth/omniauth/pull/867/commits/71866c5264122e196847a3980c43051446a03e9b"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-18076",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/omniauth/omniauth/pull/867",
"refsource": "CONFIRM",
"url": "https://github.com/omniauth/omniauth/pull/867"
},
{
"name": "DSA-4109",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4109"
},
{
"name": "https://bugs.debian.org/888523",
"refsource": "CONFIRM",
"url": "https://bugs.debian.org/888523"
},
{
"name": "https://github.com/omniauth/omniauth/pull/867/commits/71866c5264122e196847a3980c43051446a03e9b",
"refsource": "CONFIRM",
"url": "https://github.com/omniauth/omniauth/pull/867/commits/71866c5264122e196847a3980c43051446a03e9b"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-18076",
"datePublished": "2018-01-26T19:00:00.000Z",
"dateReserved": "2018-01-26T00:00:00.000Z",
"dateUpdated": "2024-08-05T21:13:47.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}