RubySec

Providing security resources for the Ruby community

CVE-2020-36599 (omniauth): OmniAuth's `lib/omniauth/failure_endpoint.rb` does not escape `message_key` value

ADVISORIES

GEM

omniauth

SEVERITY

CVSS v3.x: 9.8 (Critical)

PATCHED VERSIONS

  • ~> 1.9.2
  • >= 2.0.0

DESCRIPTION

lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value.