-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
CVE-2015-9284.yml
26 lines (24 loc) · 975 Bytes
/
CVE-2015-9284.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
---
gem: omniauth
cve: 2015-9284
ghsa: ww4x-rwq6-qpgf
url: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
title: CSRF vulnerability in OmniAuth's request phase
date: 2015-05-25
description: |
The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site
Request Forgery (CSRF) when used as part of the Ruby on Rails framework, allowing
accounts to be connected without user intent, user interaction, or feedback to
the user. This permits a secondary account to be able to sign into the web
application as the primary account.
In order to mitigate this vulnerability, Rails users should consider using the
`omniauth-rails_csrf_protection` gem.
More info is available here: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
cvss_v2: 6.8
cvss_v3: 8.8
patched_versions:
- ">= 2.0.0"
related:
url:
- https://github.com/omniauth/omniauth/pull/809
- https://github.com/cookpad/omniauth-rails_csrf_protection