RubySec

Providing security resources for the Ruby community

CVE-2019-15224 (omniauth_amazon): Code execution backdoor in omniauth_amazon

ADVISORIES

GEM

omniauth_amazon

SEVERITY

CVSS v3: 9.8

UNAFFECTED VERSIONS

  • < 1.0.1
  • > 1.0.1

PATCHED VERSIONS

None.

DESCRIPTION

The omniauth_amazon gem 1.0.1 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.

Users of an affected version should consider downgrading to the last non-affected version of 1.0.1.