Sha256: 7bcdca69c95751d3559adf0e265d6e201d3bb577a0769ad16c3bf0a2e28581ec
Contents?: true
Size: 859 Bytes
Versions: 1
Compression:
Stored size: 859 Bytes
Contents
---
gem: omniauth
cve: 2015-9284
url: https://github.com/omniauth/omniauth/pull/809
title: CSRF vulnerability in OmniAuth's request phase
date: 2015-05-25
description: |
The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site
Request Forgery (CSRF) when used as part of the Ruby on Rails framework, allowing
accounts to be connected without user intent, user interaction, or feedback to
the user. This permits a secondary account to be able to sign into the web
application as the primary account.
In order to mitigate this vulnerability, Rails users should consider using the
`omniauth-rails_csrf_protection` gem.
More info is available here: https://github.com/omniauth/omniauth/pull/809#issuecomment-502079405
cvss_v2: 6.8
cvss_v3: 8.8
related:
url:
- https://github.com/cookpad/omniauth-rails_csrf_protection
Version data entries
1 entries across 1 versions & 1 rubygems
| Version | Path |
|---|---|
| bundler-audit-0.7.0.1 | data/ruby-advisory-db/gems/omniauth/CVE-2015-9284.yml |