PT-2018-6657 · Omniauth · Omniauth

Lalith Rallabhandi

Published

2018-01-26

Updated

2019-10-03

CVE-2017-18076

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: OmniAuth versions prior to 1.3.2

Description: The issue arises from improper protection of the authenticity token value in OmniAuth. Specifically, in the strategy.rb file, POST parameters, in addition to GET parameters, are stored in the session and become accessible in the environment during the callback phase.

Recommendations: For versions prior to 1.3.2, update to version 1.3.2 or later to resolve the issue.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2017-18076

DSA-4109-1

GHSA-9PR6-GRF4-X2FR

Affected Products

Omniauth

PT-2018-6657 · Omniauth · Omniauth

CVE-2017-18076

Related Identifiers

Affected Products

References · 19