CVE-2020-26254

Name of the Vulnerable Software and Affected Versions omniauth-apple versions prior to 1.0.1

Description The issue allows attackers to fake their email address during authentication, impacting applications that use the omniauth-apple strategy of OmniAuth and the info.email field for identification. The value of info.email can be set to any value, including other users' email addresses. Applications not using info.email for identification but using the uid field are not impacted in the same manner, although they may still be negatively affected if info.email is used for other purposes.

Recommendations To resolve the issue, upgrade to omniauth-apple version 1.0.1 or later. As a temporary workaround, consider monkey patching OmniAuth::Strategies::Apple#email to use id info['email'] instead.