datacite / omniauth-orcid

ORCID Strategy for OmniAuth
MIT License
9 stars 9 forks source link

Security vulnerability alert CVE-2015-9284 #16

Open dshorthouse opened 5 years ago

dshorthouse commented 5 years ago

Because your gem has OmniAuth as a dependency, be aware of the security vulnerability alert CVE-2015-9284, https://nvd.nist.gov/vuln/detail/CVE-2015-9284 and then the epic discussions at https://github.com/omniauth/omniauth/pull/809. Anyone who uses your gem will receive visible warning in their GitHub repo and as response with every push. While there doesn't seem to be a multi-platform solution to this vulnerability, sending POSTs in the token_method (and NOT GETs) is at least a start.