Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-4593
Vulnerability from gsd - Updated: 2013-11-14 00:00Details
omniauth-facebook Gem for Ruby contains a flaw that is due to the application
supporting passing the access token via the URL. This may allow a remote
attacker to bypass authentication and authenticate as another user.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-4593",
"description": "RubyGem omniauth-facebook has an access token security vulnerability",
"id": "GSD-2013-4593"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "omniauth-facebook",
"purl": "pkg:gem/omniauth-facebook"
}
}
],
"aliases": [
"CVE-2013-4593",
"OSVDB-99888"
],
"details": "omniauth-facebook Gem for Ruby contains a flaw that is due to the application\nsupporting passing the access token via the URL. This may allow a remote\nattacker to bypass authentication and authenticate as another user.\n",
"id": "GSD-2013-4593",
"modified": "2013-11-14T00:00:00.000Z",
"published": "2013-11-14T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4593"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 6.8,
"type": "CVSS_V2"
}
],
"summary": "omniauth-facebook Gem for Ruby Insecure Access Token Handling Authentication Bypass"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4593",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "omniauth-facebook",
"version": {
"version_data": [
{
"version_value": "\u003c= 1.5.0"
}
]
}
}
]
},
"vendor_name": "omniauth-facebook"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "RubyGem omniauth-facebook has an access token security vulnerability"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "UNKNOWN_TYPE"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2013-4593",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2013-4593"
},
{
"name": "https://access.redhat.com/security/cve/cve-2013-4593",
"refsource": "MISC",
"url": "https://access.redhat.com/security/cve/cve-2013-4593"
},
{
"name": "http://www.openwall.com/lists/oss-security/2013/11/18/6",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2013/11/18/6"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89040",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89040"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-4593",
"cvss_v2": 6.8,
"date": "2013-11-14",
"description": "omniauth-facebook Gem for Ruby contains a flaw that is due to the application\nsupporting passing the access token via the URL. This may allow a remote\nattacker to bypass authentication and authenticate as another user.\n",
"gem": "omniauth-facebook",
"osvdb": 99888,
"patched_versions": [
"\u003e= 1.5.1"
],
"title": "omniauth-facebook Gem for Ruby Insecure Access Token Handling Authentication Bypass",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4593"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=1.5.0",
"affected_versions": "All versions up to 1.5.0",
"credit": "Egor Homakov (@homakov)",
"cwe_ids": [
"CWE-1035",
"CWE-287",
"CWE-937"
],
"date": "2019-12-11",
"description": "The package omniauth-facebook supports passing an access token directly in the URL. Because of that, an attacker may be able to authenticate as another user by passing a valid access token obtained from Facebook for another app.",
"fixed_versions": [
"1.5.1"
],
"identifier": "CVE-2013-4593",
"identifiers": [
"CVE-2013-4593"
],
"package_slug": "gem/omniauth-facebook",
"pubdate": "2019-12-11",
"solution": "You should change your integration to use one of the secure methods using either a signed request or the code flow or upgrade to latest (1.5.1 is not yet released).",
"title": "Access token security vulnerability",
"urls": [],
"uuid": "b401e5dc-6b77-4b5b-a309-26eba6e56851"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:omniauth-facebook_project:omniauth-facebook:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndIncluding": "1.5.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4593"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "RubyGem omniauth-facebook has an access token security vulnerability"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89040",
"refsource": "MISC",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89040"
},
{
"name": "https://security-tracker.debian.org/tracker/CVE-2013-4593",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2013-4593"
},
{
"name": "https://access.redhat.com/security/cve/cve-2013-4593",
"refsource": "MISC",
"tags": [
"Broken Link"
],
"url": "https://access.redhat.com/security/cve/cve-2013-4593"
},
{
"name": "http://www.openwall.com/lists/oss-security/2013/11/18/6",
"refsource": "MISC",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2013/11/18/6"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2019-12-16T15:08Z",
"publishedDate": "2019-12-11T14:15Z"
}
}
}