The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.
CVE-2015-9284 - High Severity Vulnerability
A generalized Rack framework for multiple-provider authentication.
Library home page: https://rubygems.org/gems/omniauth-1.9.0.gem
Path to dependency file: /chaltron/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/omniauth-1.9.0.gem
Dependency Hierarchy: - gitlab_omniauth-ldap-2.1.1.gem (Root Library) - :x: **omniauth-1.9.0.gem** (Vulnerable Library)
Found in HEAD commit: d21028cd02d14abca6761f653c04fc95bf92973c
The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.
Publish Date: 2019-04-26
URL: CVE-2015-9284
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with WhiteSource here