ADVISORIES

• CVE-2019-15224 (NVD)
• GHSA-333g-rpr4-7hxq
• Vendor Advisory

GEM

omniauth_amazon

SEVERITY

CVSS v3.x: 9.8 (Critical)

UNAFFECTED VERSIONS

• < 1.0.1
• > 1.0.1

PATCHED VERSIONS

None.

DESCRIPTION

The omniauth_amazon gem 1.0.1 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.

Users of an affected version should consider downgrading to the last non-affected version of 1.0.1.

RELATED

• https://github.com/rubygems/rubygems.org/wiki/Gems-yanked-and-accounts-locked#19-aug-2019