CVE-2019-11027

Name of the Vulnerable Software and Affected Versions Ruby OpenID (aka ruby-openid) versions 2.8.0 and earlier

Description The issue allows for a remotely exploitable flaw, specifically a Server-Side Request Forgery (SSRF) vulnerability. This occurs because the library performs discovery first, and then verification, enabling an attacker to change the URL used for discovery and trick the server into connecting to a potentially private server not publicly accessible. The severity of this issue can range from medium to critical, depending on how the ruby-openid library is employed by web application developers. Developers who based their OpenID integration heavily on the example app provided by the project are at the highest risk.

Recommendations For versions 2.8.0 and earlier, consider disabling the OpenID discovery feature until a patch is available, or restrict the URLs that can be used for discovery to prevent SSRF attacks.