Skip to content
This repository was archived by the owner on Jan 19, 2023. It is now read-only.
This repository was archived by the owner on Jan 19, 2023. It is now read-only.

Missing Advisory: omniauth CVE-2015-9284 #79

Closed
Closed
Missing Advisory: omniauth CVE-2015-9284#79
Labels
advisoryAn advisory missing from the OSS Index database
@DarthHater

Description

@DarthHater
DarthHater
opened on Apr 13, 2020

I'm unsure if this is truly missing, or the version range is wrong. Starting with missing since I don't have insight to see if it's the version range.

Advisory details

  URL: https://nvd.nist.gov/vuln/detail/CVE-2015-9284
  format: rubygem
  namespace: 
  name: omniauth
  versions: This affects up to the newest version, so `1.9.1` in this case, no  fix has been released

From bundle-audit:

Name: omniauth
Version: 1.9.0
Advisory: CVE-2015-9284
Criticality: High
URL: https://github.com/omniauth/omniauth/pull/809
Title: CSRF vulnerability in OmniAuth's request phase
Solution: remove or disable this gem until a patch is available!

Vulnerabilities found!

More information
Basically, the fix for this has not been merged, more info can be seen here:

omniauth/omniauth#809

We found this issue while testing chelsea against the results from bundle-audit on a project.

Metadata

Metadata

Assignees

No one assigned

    Labels

    advisoryAn advisory missing from the OSS Index database

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions