Address low-risk omniauth security issue #1903
Comments
|
I took a swing at the omniauth security issue, but I don't think it's going to be a quick fix. See PR here: #1907. This is not a new issue. It has been around since 2015, but a CVE was just issued for it, which is why it's suddenly on our radar. There will eventually be a better fix in place. I don't think we're particularly vulnerable, as first someone would have to compromise Emory's shibboleth server to take advantage of this. I recommend we wait until there is a straightforward fix available. |
bess
changed the title
|
Exploiting this vulnerability would require someone to
We think the likelihood of that (and the corresponding risk if it every did happen) is sufficiently low that we're closing out this issue for now. |
This was referenced Jun 25, 2019
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Follow the breadcrumbs here https://github.com/curationexperts/laevigata/network/alert/Gemfile.lock/omniauth/open
and here
omniauth/omniauth#809
omniauth/omniauth-rails#1
Determine whether there is any action needed on our part.
The text was updated successfully, but these errors were encountered: