---
gem: ruby-openid
cve: 2019-11027
ghsa: fqfj-cmh6-hj49
url: https://github.com/openid/ruby-openid/issues/122
date: 2019-06-13
title: ruby-openid SSRF via claimed_id request
description: |
  Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable
  flaw. This library is used by Rails web applications to integrate with OpenID Providers.
  Severity can range from medium to critical, depending on how a web application developer
  chose to employ the ruby-openid library. Developers who based their OpenID integration
  heavily on the "example app" provided by the project are at highest risk.
cvss_v3: 9.8
patched_versions:
- ">= 2.9.0"