PT-2024-18984 · Rubygems · Omniauth-Microsoft Graph
Makuga01
·
Published
2024-01-02
·
Updated
2024-01-09
·
CVE-2024-21632
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
omniauth-microsoft graph versions prior to 2.0.0
Description
The implementation did not validate the legitimacy of the
email attribute of the user nor did it give or document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the email is used as a trusted user identifier. This could lead to account takeover.Recommendations
For versions prior to 2.0.0, update to version 2.0.0 to resolve the issue. As a temporary workaround, consider validating the legitimacy of the
email attribute manually until a patch is applied. Restrict the use of the email attribute as a trusted user identifier to minimize the risk of exploitation.Exploit
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Omniauth-Microsoft Graph