Опубликовано: 26 янв. 2018
Источник: ubuntu
Приоритет: medium
EPSS Низкий
CVSS2: 5
CVSS3: 7.5
Описание
In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.
| Релиз | Статус | Примечание |
|---|---|---|
| artful | released | 1.3.1-1+deb9u1build0.17.10.1 |
| bionic | not-affected | 1.3.1-2 |
| cosmic | not-affected | 1.3.1-2 |
| devel | not-affected | 1.3.1-2 |
| disco | not-affected | 1.3.1-2 |
| esm-apps/bionic | not-affected | 1.3.1-2 |
| esm-apps/xenial | released | 1.3.1-1+deb9u1build0.16.04.1 |
| esm-infra-legacy/trusty | DNE | trusty/esm was DNE [trusty was needed] |
| precise/esm | DNE | |
| trusty | ignored | end of standard support |
Показывать по
10
EPSS
Процентиль: 63%
0.00439
Низкий
5 Medium
CVSS2
7.5 High
CVSS3
Связанные уязвимости
CVSS3: 7.5
nvd
около 8 лет назад
In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.
CVSS3: 7.5
debian
около 8 лет назад
In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value ...
CVSS3: 7.5
github
около 8 лет назад
Omniauth allows POST parameters to be stored in session
EPSS
Процентиль: 63%
0.00439
Низкий
5 Medium
CVSS2
7.5 High
CVSS3