Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2012-6134
Vulnerability from gsd - Updated: 2012-09-08 00:00Details
The omniauth-oauth2 Ruby Gem contains a flaw that allows an attacker to
inject values into a user's session through a CSRF attack.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2012-6134",
"description": "Cross-site request forgery (CSRF) vulnerability in the omniauth-oauth2 gem 1.1.1 and earlier for Ruby allows remote attackers to hijack the authentication of users for requests that modify session state.",
"id": "GSD-2012-6134",
"references": [
"https://www.suse.com/security/cve/CVE-2012-6134.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "omniauth-oauth2",
"purl": "pkg:gem/omniauth-oauth2"
}
}
],
"aliases": [
"CVE-2012-6134",
"OSVDB-90264"
],
"details": "The omniauth-oauth2 Ruby Gem contains a flaw that allows an attacker to\ninject values into a user\u0027s session through a CSRF attack.\n",
"id": "GSD-2012-6134",
"modified": "2012-09-08T00:00:00.000Z",
"published": "2012-09-08T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6134"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 6.8,
"type": "CVSS_V2"
}
],
"summary": "Ruby on Rails omniauth-oauth2 Gem CSRF vulnerability"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-6134",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in the omniauth-oauth2 gem 1.1.1 and earlier for Ruby allows remote attackers to hijack the authentication of users for requests that modify session state."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Shopify/omniauth-shopify-oauth2/pull/1",
"refsource": "MISC",
"url": "https://github.com/Shopify/omniauth-shopify-oauth2/pull/1"
},
{
"name": "https://github.com/intridea/omniauth-oauth2/pull/25",
"refsource": "CONFIRM",
"url": "https://github.com/intridea/omniauth-oauth2/pull/25"
},
{
"name": "http://rubysec.github.io/advisories/CVE-2012-6134/",
"refsource": "MISC",
"url": "http://rubysec.github.io/advisories/CVE-2012-6134/"
},
{
"name": "https://gist.github.com/homakov/3673012",
"refsource": "MISC",
"url": "https://gist.github.com/homakov/3673012"
},
{
"name": "[oss-security] 20130213 Some rubygems related CVEs",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2013/q1/304"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2012-6134",
"cvss_v2": 6.8,
"date": "2012-09-08",
"description": "The omniauth-oauth2 Ruby Gem contains a flaw that allows an attacker to\ninject values into a user\u0027s session through a CSRF attack.\n",
"gem": "omniauth-oauth2",
"osvdb": 90264,
"patched_versions": [
"\u003e= 1.1.1"
],
"title": "Ruby on Rails omniauth-oauth2 Gem CSRF vulnerability",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6134"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c1.1.1",
"affected_versions": "All versions before 1.1.1",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-352",
"CWE-937"
],
"date": "2019-08-02",
"description": "The package omniauth-oauth2 for Ruby contains a flaw related to `omniauth.state` that allows a remote attacker to conduct a session injection attack. This flaw exists because the application, when establishing a new session, does not invalidate an existing session identifier and assign a new one. With a specially crafted request fixating the session identifier, a context-dependent attacker can ensure a user authenticates with the known session identifier, allowing the session to be subsequently hijacked.",
"fixed_versions": [
"1.1.1"
],
"identifier": "CVE-2012-6134",
"identifiers": [
"CVE-2012-6134"
],
"package_slug": "gem/omniauth-oauth2",
"pubdate": "2013-04-09",
"solution": "Upgrade",
"title": "CSRF vulnerability, injecting state in session",
"urls": [
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6134",
"https://github.com/intridea/omniauth-oauth2/pull/25"
],
"uuid": "af452092-27c8-4e10-9773-7697ef56dc14"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:omniauth-oauth2_project:omniauth-oauth2:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "1.1.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-6134"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the omniauth-oauth2 gem 1.1.1 and earlier for Ruby allows remote attackers to hijack the authentication of users for requests that modify session state."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://rubysec.github.io/advisories/CVE-2012-6134/",
"refsource": "MISC",
"tags": [
"Broken Link"
],
"url": "http://rubysec.github.io/advisories/CVE-2012-6134/"
},
{
"name": "https://gist.github.com/homakov/3673012",
"refsource": "MISC",
"tags": [
"Broken Link"
],
"url": "https://gist.github.com/homakov/3673012"
},
{
"name": "https://github.com/intridea/omniauth-oauth2/pull/25",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/intridea/omniauth-oauth2/pull/25"
},
{
"name": "https://github.com/Shopify/omniauth-shopify-oauth2/pull/1",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/Shopify/omniauth-shopify-oauth2/pull/1"
},
{
"name": "[oss-security] 20130213 Some rubygems related CVEs",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/oss-sec/2013/q1/304"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
}
},
"lastModifiedDate": "2019-08-02T15:33Z",
"publishedDate": "2013-04-09T20:55Z"
}
}
}