search

simi / omniauth-facebook

Facebook OAuth2 Strategy for OmniAuth
https://simi.github.io/omniauth-facebook/
1.26k stars 403 forks source link

example/Gemfile.lock references an insecure version of omniauth #390

Closed trak3r closed 5 months ago

trak3r commented 5 months ago

Problem

The file example/Gemfile.lock references an old version of omniauth (1.9.1) which has a security advisory (CVE-2020-36599) which triggers a "Critical Finding" from AWS Inspector.

Resolution

Update to the latest compatible version of the omniauth gem please.

References

https://github.com/simi/omniauth-facebook/blob/master/example/Gemfile.lock#L27

"type": "PACKAGE_VULNERABILITY",
"description": "lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value.",
"title": "CVE-2020-36599 - omniauth",
simi commented 5 months ago

Hello! Thanks for the report. Would you mind to send a PR fixing this?