gsd-2015-9284
Vulnerability from gsd
Modified
2015-05-25 00:00
Details
The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site
Request Forgery (CSRF) when used as part of the Ruby on Rails framework, allowing
accounts to be connected without user intent, user interaction, or feedback to
the user. This permits a secondary account to be able to sign into the web
application as the primary account.
In order to mitigate this vulnerability, Rails users should consider using the
`omniauth-rails_csrf_protection` gem.
More info is available here: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2015-9284",
"description": "The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.",
"id": "GSD-2015-9284",
"references": [
"https://www.suse.com/security/cve/CVE-2015-9284.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "omniauth",
"purl": "pkg:gem/omniauth"
}
}
],
"aliases": [
"CVE-2015-9284",
"GHSA-ww4x-rwq6-qpgf"
],
"details": "The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site\nRequest Forgery (CSRF) when used as part of the Ruby on Rails framework, allowing\naccounts to be connected without user intent, user interaction, or feedback to\nthe user. This permits a secondary account to be able to sign into the web\napplication as the primary account.\n\nIn order to mitigate this vulnerability, Rails users should consider using the\n`omniauth-rails_csrf_protection` gem.\n\nMore info is available here: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284\n",
"id": "GSD-2015-9284",
"modified": "2015-05-25T00:00:00.000Z",
"published": "2015-05-25T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"
},
{
"type": "WEB",
"url": "https://github.com/omniauth/omniauth/pull/809"
},
{
"type": "WEB",
"url": "https://github.com/cookpad/omniauth-rails_csrf_protection"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 6.8,
"type": "CVSS_V2"
},
{
"score": 8.8,
"type": "CVSS_V3"
}
],
"summary": "CSRF vulnerability in OmniAuth\u0027s request phase"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2015-9284",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "omniauth ruby gem",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF) (CWE-352)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/omniauth/omniauth/pull/809",
"refsource": "MISC",
"url": "https://github.com/omniauth/omniauth/pull/809"
},
{
"name": "https://github.com/omniauth/omniauth-rails/pull/1",
"refsource": "MISC",
"url": "https://github.com/omniauth/omniauth-rails/pull/1"
},
{
"name": "[oss-security] 20150526 CVE Request: CSRF vulnerability in OmniAuth request phase",
"refsource": "MLIST",
"url": "https://www.openwall.com/lists/oss-security/2015/05/26/11"
},
{
"name": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284",
"refsource": "MISC",
"url": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2015-9284",
"cvss_v2": 6.8,
"cvss_v3": 8.8,
"date": "2015-05-25",
"description": "The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site\nRequest Forgery (CSRF) when used as part of the Ruby on Rails framework, allowing\naccounts to be connected without user intent, user interaction, or feedback to\nthe user. This permits a secondary account to be able to sign into the web\napplication as the primary account.\n\nIn order to mitigate this vulnerability, Rails users should consider using the\n`omniauth-rails_csrf_protection` gem.\n\nMore info is available here: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284\n",
"gem": "omniauth",
"ghsa": "ww4x-rwq6-qpgf",
"patched_versions": [
"\u003e= 2.0.0"
],
"related": {
"url": [
"https://github.com/omniauth/omniauth/pull/809",
"https://github.com/cookpad/omniauth-rails_csrf_protection"
]
},
"title": "CSRF vulnerability in OmniAuth\u0027s request phase",
"url": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=1.9.1",
"affected_versions": "All versions up to 1.9.1",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-352",
"CWE-937"
],
"date": "2020-11-13",
"description": "The request phase of the OmniAuth is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.",
"fixed_versions": [
"2.0.0"
],
"identifier": "CVE-2015-9284",
"identifiers": [
"CVE-2015-9284"
],
"not_impacted": "All versions after 1.9.1",
"package_slug": "gem/omniauth",
"pubdate": "2019-04-26",
"solution": "Upgrade to version 2.0.0 or above.",
"title": "Cross-Site Request Forgery (CSRF)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2015-9284",
"https://www.openwall.com/lists/oss-security/2015/05/26/11",
"https://github.com/omniauth/omniauth-rails/pull/1",
"https://github.com/omniauth/omniauth/pull/809",
"https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"
],
"uuid": "dc01db13-bc55-4076-a2cc-b69994ff69ab"
}
]
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:omniauth:omniauth:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "E7DFDC87-A880-470C-8850-4137441C3745",
"versionEndExcluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account."
},
{
"lang": "es",
"value": "La fase request del GEM de OmniAuth Ruby (versi\u00f3n 1.9.1 y versiones anteriores) es vulnerable Cross-Site Request Forgery cuando se usa como parte del Ruby sobre Rails Framework, permite que las cuentas se conecten sin intenci\u00f3n del usuario, interacci\u00f3n de usuario o retroalimentaci\u00f3n al usuario. Esto permite a una cuenta secundaria poder iniciar sesi\u00f3n en la aplicaci\u00f3n web como la cuenta principal."
}
],
"id": "CVE-2015-9284",
"lastModified": "2024-02-14T16:29:38.470",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-26T15:29:00.267",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/omniauth/omniauth-rails/pull/1"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/omniauth/omniauth/pull/809"
},
{
"source": "support@hackerone.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284"
},
{
"source": "support@hackerone.com",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://www.openwall.com/lists/oss-security/2015/05/26/11"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
}
]
}
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…