Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2015-9284

Опубликовано: 26 апр. 2019
Источник: debian

Описание

The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
ruby-omniauthfixed2.0.4-2package
ruby-omniauthignoredbullseyepackage
ruby-omniauthignoredbusterpackage
ruby-omniauthno-dsastretchpackage
ruby-omniauthno-dsajessiepackage

Примечания

  • https://github.com/omniauth/omniauth/pull/809

  • https://www.openwall.com/lists/oss-security/2015/05/26/11

  • Upstream considers this resolved with the change of the default config in the 2.0.0 release

  • https://github.com/omniauth/omniauth/discussions/1017

Связанные уязвимости

ubuntu логотип

CVE-2015-9284

CVSS3: 8.8
ubuntu
почти 7 лет назад

The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.

redhat логотип

CVE-2015-9284

CVSS3: 8.1
redhat
больше 10 лет назад

The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.

nvd логотип

CVE-2015-9284

CVSS3: 8.8
nvd
почти 7 лет назад

The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.

github логотип

GHSA-ww4x-rwq6-qpgf

CVSS3: 8.8
github
больше 6 лет назад

OmniAuth Ruby gem Cross-site Request Forgery in request phase