Sha256: 2c8227e6d628184704700b72186b58eaddc13a43aab85e02172c2d8b696d3b1a

Contents?: true

Size: 1.21 KB

Versions: 20

Compression:

Stored size: 1.21 KB

Contents

module Codesake
	module Dawn
		module Kb
			# Automatically created with rake on 2013-11-26
			class CVE_2013_4562
				include DependencyCheck

				def initialize
          message = "Because of the way that omniauth-facebook supports setting a per-request state parameter by storing it in the session, it is possible to circumvent the automatic CSRF protection. Therefore the CSRF added in 1.4.1 should be considered broken. If you are currently providing a custom state, you will need to store and retrieve this yourself (for example, by using the session store) to use 1.5.0."
          super({
            :name=>"CVE-2013-4562",
            :cvss=>"not assigned",
            :release_date => Date.new(2013, 11, 14),
            :cwe=>"",
            :owasp=>"A9", 
            :applies=>["rails", "sinatra", "padrino"],
            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
            :message=>message,
            :mitigation=>"You must upgrade at least to 1.5.0 or later",
            :aux_links=>["https://groups.google.com/forum/#!msg/ruby-security-ann/-tJHNlTiPh4/9SJxdEWLIawJ"]
          })

          self.safe_dependencies = [{:name=>"omniauth-facebook", :version=>['1.5.0']}]

				end
			end
		end
	end
end

Version data entries

20 entries across 20 versions & 2 rubygems

Version Path
dawnscanner-1.2.99 lib/codesake/dawn/kb/cve_2013_4562.rb
codesake-dawn-1.2.99 lib/codesake/dawn/kb/cve_2013_4562.rb
codesake-dawn-1.2.0 lib/codesake/dawn/kb/cve_2013_4562.rb
codesake-dawn-1.1.3 lib/codesake/dawn/kb/cve_2013_4562.rb
codesake-dawn-1.1.2 lib/codesake/dawn/kb/cve_2013_4562.rb
codesake-dawn-1.1.1 lib/codesake/dawn/kb/cve_2013_4562.rb
codesake-dawn-1.1.0 lib/codesake/dawn/kb/cve_2013_4562.rb
codesake-dawn-1.1.0.rc2 lib/codesake/dawn/kb/cve_2013_4562.rb
codesake-dawn-1.1.0.rc1 lib/codesake/dawn/kb/cve_2013_4562.rb
codesake-dawn-1.0.6 lib/codesake/dawn/kb/cve_2013_4562.rb
codesake-dawn-1.0.5 lib/codesake/dawn/kb/cve_2013_4562.rb
codesake-dawn-1.0.4 lib/codesake/dawn/kb/cve_2013_4562.rb
codesake-dawn-1.0.3 lib/codesake/dawn/kb/cve_2013_4562.rb
codesake-dawn-1.0.2 lib/codesake/dawn/kb/cve_2013_4562.rb
codesake-dawn-1.0.1 lib/codesake/dawn/kb/cve_2013_4562.rb
codesake-dawn-1.0.0 lib/codesake/dawn/kb/cve_2013_4562.rb
codesake-dawn-1.0.0.rc2 lib/codesake/dawn/kb/cve_2013_4562.rb
codesake-dawn-1.0.0.rc1 lib/codesake/dawn/kb/cve_2013_4562.rb
codesake-dawn-0.85 lib/codesake/dawn/kb/cve_2013_4562.rb
codesake-dawn-0.80.0 lib/codesake/dawn/kb/cve_2013_4562.rb