1. CVE-Search
  2. CVE-2017-18076
ID CVE-2017-18076
Summary In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.
References
Vulnerable Configurations
  • cpe:2.3:a:omniauth:omniauth:-:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:-:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.0.1:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.0.1:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.0.3:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.0.3:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.0.4:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.0.4:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.0.5:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.0.5:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.1.0:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.1.0:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.1.1:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.1.1:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.1.2:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.1.2:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.1.3:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.1.3:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.1.4:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.1.4:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.1.5:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.1.5:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.1.6:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.1.6:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.2.0:-:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.2.0:-:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.2.0:beta1:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.2.0:beta1:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.2.0:beta2:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.2.0:beta2:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.2.0:beta3:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.2.0:beta3:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.2.0:beta4:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.2.0:beta4:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.2.0:beta5:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.2.0:beta5:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.2.1:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.2.1:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.2.2:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.2.2:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.2.3:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.2.3:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.2.4:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.2.4:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.2.5:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.2.5:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.2.6:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.2.6:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.3.0:-:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.3.0:-:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.3.0:rc1:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.3.0:rc1:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.3.0:rc2:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.3.0:rc2:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.3.0:rc3:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.3.0:rc3:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.3.1:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.3.1:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:0.3.2:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:0.3.2:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:1.0.0:-:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:1.0.0:-:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:1.0.0:beta1:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:1.0.0:beta1:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:1.0.0:rc1:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:1.0.0:rc1:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:1.0.0:rc2:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:1.0.0:rc2:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:1.0.1:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:1.0.1:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:1.0.2:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:1.0.2:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:1.0.3:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:1.0.3:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:1.1.0:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:1.1.0:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:1.1.1:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:1.1.1:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:1.1.2:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:1.1.2:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:1.1.3:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:1.1.3:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:1.1.4:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:1.1.4:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:1.2.0:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:1.2.0:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:1.2.1:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:1.2.1:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:1.2.2:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:1.2.2:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:1.3.0:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:1.3.0:*:*:*:*:ruby:*:*
  • cpe:2.3:a:omniauth:omniauth:1.3.1:*:*:*:*:ruby:*:*
    cpe:2.3:a:omniauth:omniauth:1.3.1:*:*:*:*:ruby:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 03-10-2019 - 00:03)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
refmap via4
confirm
debian DSA-4109
Last major update 03-10-2019 - 00:03
Published 26-01-2018 - 19:29
Last modified 03-10-2019 - 00:03
Back to Top