PT-2019-7243 · Ruby+1 · Ruby On Rails+2

Mohamed Abdelbaset Elnoby

Published

2019-04-26

Updated

2024-02-14

CVE-2015-9284

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OmniAuth Ruby gem versions 1.9.2 and earlier

Description The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework. This allows accounts to be connected without user intent, user interaction, or feedback to the user, permitting a secondary account to sign into the web application as the primary account.

Recommendations For OmniAuth Ruby gem versions 1.9.2 and earlier, update to version 2 or later and ensure that the default configuration is not modified to reintroduce the vulnerability. As a temporary workaround, consider configuring OmniAuth according to the recommended remediation to minimize the risk of exploitation.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2015-9284

GHSA-WW4X-RWQ6-QPGF

Affected Products

Debian

Omniauth Ruby Gem

Ruby On Rails

PT-2019-7243 · Ruby+1 · Ruby On Rails+2

CVE-2015-9284

Weakness Enumeration

Related Identifiers

Affected Products

References · 21