7.5

CVE-2017-18076

In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OmniauthOmniauth SwPlatformruby Version < 1.3.2
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.13% 0.797
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://bugs.debian.org/888523
Third Party Advisory
Issue Tracking
https://github.com/omniauth/omniauth/pull/867
Patch
Third Party Advisory
https://github.com/omniauth/omniauth/pull/867/commits/71866c5264122e196847a3980c43051446a03e9b
Patch
Third Party Advisory
https://www.debian.org/security/2018/dsa-4109
Third Party Advisory