GSD-2015-9284
Vulnerability from gsd - Updated: 2015-05-25 00:00Details
The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site
Request Forgery (CSRF) when used as part of the Ruby on Rails framework, allowing
accounts to be connected without user intent, user interaction, or feedback to
the user. This permits a secondary account to be able to sign into the web
application as the primary account.
In order to mitigate this vulnerability, Rails users should consider using the
`omniauth-rails_csrf_protection` gem.
More info is available here: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2015-9284",
"description": "The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.",
"id": "GSD-2015-9284",
"references": [
"https://www.suse.com/security/cve/CVE-2015-9284.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "omniauth",
"purl": "pkg:gem/omniauth"
}
}
],
"aliases": [
"CVE-2015-9284",
"GHSA-ww4x-rwq6-qpgf"
],
"details": "The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site\nRequest Forgery (CSRF) when used as part of the Ruby on Rails framework, allowing\naccounts to be connected without user intent, user interaction, or feedback to\nthe user. This permits a secondary account to be able to sign into the web\napplication as the primary account.\n\nIn order to mitigate this vulnerability, Rails users should consider using the\n`omniauth-rails_csrf_protection` gem.\n\nMore info is available here: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284\n",
"id": "GSD-2015-9284",
"modified": "2015-05-25T00:00:00.000Z",
"published": "2015-05-25T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"
},
{
"type": "WEB",
"url": "https://github.com/omniauth/omniauth/pull/809"
},
{
"type": "WEB",
"url": "https://github.com/cookpad/omniauth-rails_csrf_protection"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 6.8,
"type": "CVSS_V2"
},
{
"score": 8.8,
"type": "CVSS_V3"
}
],
"summary": "CSRF vulnerability in OmniAuth\u0027s request phase"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2015-9284",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "omniauth ruby gem",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF) (CWE-352)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/omniauth/omniauth/pull/809",
"refsource": "MISC",
"url": "https://github.com/omniauth/omniauth/pull/809"
},
{
"name": "https://github.com/omniauth/omniauth-rails/pull/1",
"refsource": "MISC",
"url": "https://github.com/omniauth/omniauth-rails/pull/1"
},
{
"name": "[oss-security] 20150526 CVE Request: CSRF vulnerability in OmniAuth request phase",
"refsource": "MLIST",
"url": "https://www.openwall.com/lists/oss-security/2015/05/26/11"
},
{
"name": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284",
"refsource": "MISC",
"url": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2015-9284",
"cvss_v2": 6.8,
"cvss_v3": 8.8,
"date": "2015-05-25",
"description": "The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site\nRequest Forgery (CSRF) when used as part of the Ruby on Rails framework, allowing\naccounts to be connected without user intent, user interaction, or feedback to\nthe user. This permits a secondary account to be able to sign into the web\napplication as the primary account.\n\nIn order to mitigate this vulnerability, Rails users should consider using the\n`omniauth-rails_csrf_protection` gem.\n\nMore info is available here: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284\n",
"gem": "omniauth",
"ghsa": "ww4x-rwq6-qpgf",
"patched_versions": [
"\u003e= 2.0.0"
],
"related": {
"url": [
"https://github.com/omniauth/omniauth/pull/809",
"https://github.com/cookpad/omniauth-rails_csrf_protection"
]
},
"title": "CSRF vulnerability in OmniAuth\u0027s request phase",
"url": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=1.9.1",
"affected_versions": "All versions up to 1.9.1",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-352",
"CWE-937"
],
"date": "2020-11-13",
"description": "The request phase of the OmniAuth is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.",
"fixed_versions": [
"2.0.0"
],
"identifier": "CVE-2015-9284",
"identifiers": [
"CVE-2015-9284"
],
"not_impacted": "All versions after 1.9.1",
"package_slug": "gem/omniauth",
"pubdate": "2019-04-26",
"solution": "Upgrade to version 2.0.0 or above.",
"title": "Cross-Site Request Forgery (CSRF)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2015-9284",
"https://www.openwall.com/lists/oss-security/2015/05/26/11",
"https://github.com/omniauth/omniauth-rails/pull/1",
"https://github.com/omniauth/omniauth/pull/809",
"https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"
],
"uuid": "dc01db13-bc55-4076-a2cc-b69994ff69ab"
}
]
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:omniauth:omniauth:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "E7DFDC87-A880-470C-8850-4137441C3745",
"versionEndExcluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account."
},
{
"lang": "es",
"value": "La fase request del GEM de OmniAuth Ruby (versi\u00f3n 1.9.1 y versiones anteriores) es vulnerable Cross-Site Request Forgery cuando se usa como parte del Ruby sobre Rails Framework, permite que las cuentas se conecten sin intenci\u00f3n del usuario, interacci\u00f3n de usuario o retroalimentaci\u00f3n al usuario. Esto permite a una cuenta secundaria poder iniciar sesi\u00f3n en la aplicaci\u00f3n web como la cuenta principal."
}
],
"id": "CVE-2015-9284",
"lastModified": "2024-02-14T16:29:38.470",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-26T15:29:00.267",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/omniauth/omniauth-rails/pull/1"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/omniauth/omniauth/pull/809"
},
{
"source": "support@hackerone.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"
},
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2015/05/26/11"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
}
]
}
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…