Описание
omniauth-microsoft_graph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the email is used as a trusted user identifier. This could lead to account takeover. Version 2.0.0 contains a fix for this issue.
Ссылки
- Patch
- Vendor Advisory
- Exploit
- Patch
- Vendor Advisory
- Exploit
Уязвимые конфигурации
Конфигурация 1Версия до 2.0.0 (исключая)
cpe:2.3:a:recognizeapp:omniauth\:\:microsoftgraph:*:*:*:*:*:ruby:*:*
EPSS
Процентиль: 54%
0.00313
Низкий
8.6 High
CVSS3
9.8 Critical
CVSS3
Дефекты
CWE-287
Связанные уязвимости
CVSS3: 8.6
github
около 2 лет назад
Omniauth::MicrosoftGraph Account takeover (nOAuth)
EPSS
Процентиль: 54%
0.00313
Низкий
8.6 High
CVSS3
9.8 Critical
CVSS3
Дефекты
CWE-287