In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.
References
Link | Resource |
---|---|
https://bugs.debian.org/888523 | Issue Tracking Third Party Advisory |
https://github.com/omniauth/omniauth/pull/867 | Patch Third Party Advisory |
https://github.com/omniauth/omniauth/pull/867/commits/71866c5264122e196847a3980c43051446a03e9b | Patch Third Party Advisory |
https://www.debian.org/security/2018/dsa-4109 | Third Party Advisory |
https://bugs.debian.org/888523 | Issue Tracking Third Party Advisory |
https://github.com/omniauth/omniauth/pull/867 | Patch Third Party Advisory |
https://github.com/omniauth/omniauth/pull/867/commits/71866c5264122e196847a3980c43051446a03e9b | Patch Third Party Advisory |
https://www.debian.org/security/2018/dsa-4109 | Third Party Advisory |
Configurations
History
21 Nov 2024, 03:19
Type | Values Removed | Values Added |
---|---|---|
References | () https://bugs.debian.org/888523 - Issue Tracking, Third Party Advisory | |
References | () https://github.com/omniauth/omniauth/pull/867 - Patch, Third Party Advisory | |
References | () https://github.com/omniauth/omniauth/pull/867/commits/71866c5264122e196847a3980c43051446a03e9b - Patch, Third Party Advisory | |
References | () https://www.debian.org/security/2018/dsa-4109 - Third Party Advisory |
Information
Published : 2018-01-26 19:29
Updated : 2024-11-21 03:19
NVD link : CVE-2017-18076
Mitre link : CVE-2017-18076
CVE.ORG link : CVE-2017-18076
JSON object : View
Products Affected
debian
- debian_linux
omniauth
- omniauth
CWE