---
gem: omniauth
cve: 2015-9284
url: https://github.com/omniauth/omniauth/pull/809
title: CSRF vulnerability in OmniAuth's request phase
date: 2015-05-25

description: |
  The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site
  Request Forgery (CSRF) when used as part of the Ruby on Rails framework, allowing
  accounts to be connected without user intent, user interaction, or feedback to
  the user. This permits a secondary account to be able to sign into the web
  application as the primary account.
  
  In order to mitigate this vulnerability, Rails users should consider using the
  `omniauth-rails_csrf_protection` gem.
  
  More info is available here: https://github.com/omniauth/omniauth/pull/809#issuecomment-502079405

cvss_v2: 6.8
cvss_v3: 8.8

related:
  url:
    - https://github.com/cookpad/omniauth-rails_csrf_protection