RubySec

Providing security resources for the Ruby community

CVE-2015-9284 (omniauth): CSRF vulnerability in OmniAuth's request phase

ADVISORIES

GEM

omniauth

SEVERITY

CVSS v3: 8.8

CVSS v2: 6.8

PATCHED VERSIONS

  • >= 2.0.0

DESCRIPTION

The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request Forgery (CSRF) when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.

In order to mitigate this vulnerability, Rails users should consider using the omniauth-rails_csrf_protection gem.

More info is available here: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284