CVE-2024-21632 (omniauth-microsoft_graph): Omniauth::MicrosoftGraph Account takeover (nOAuth)

ADVISORIES

CVE-2024-21632 (NVD)
GHSA-5g66-628f-7cvj
Vendor Advisory

GEM

omniauth-microsoft_graph

SEVERITY

CVSS v3.x: 8.6 (High)

PATCHED VERSIONS

>= 2.0.0

DESCRIPTION

Summary

The implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the email is used as a trusted user identifier

https://nvd.nist.gov/vuln/detail/CVE-2024-21632
https://github.com/synth/omniauth-microsoft_graph/security/advisories/GHSA-5g66-628f-7cvj
https://github.com/synth/omniauth-microsoft_graph/commit/5ffd62690ca0e46978f2fc7d83b18d28edde7795
https://github.com/synth/omniauth-microsoft_graph/commit/f132078389612b797c872b45bd0e0b47382414c1
https://www.descope.com/blog/post/noauth
https://github.com/advisories/GHSA-5g66-628f-7cvj

RubySec